On Wed, Sep 9, 2020 at 6:17 AM 'Dirk Heinrichs' via Puppet Users <
[email protected]> wrote:
> Hi,
>
> tried to use the "Sensitive" data type for the first time (with Puppet
> 6.18.0), but it doesn't work as expected (found and followed several
> tutorials on the net, see links below), also using the "lookup_options"
> method to ensure the Hiera-provided value is indeed converted to sensitive.
>
> Here's my sample code (Hiera files omitted):
>
> class test (Sensitive $foo) {
> file {'/tmp/foo':
> content => "${foo}\n",
> }
> }
>
> When I run this, I get:
>
> Notice: /Stage[main]/Test/File[/tmp/foo]/content:
> --- /tmp/foo 2020-09-09 07:53:40.166807782 +0200
> +++ /tmp/puppet-file20200909-18841-zq93gr 2020-09-09
> 14:55:05.569695841 +0200
> @@ -1 +1 @@
> -bar
> +Sensitive [value redacted]
>
> Notice: /Stage[main]/Test/File[/tmp/foo]/content: content changed
> '{md5}fc552...' to '{md5}48a07...'
>
> and then the file indeed looks like this:
>
> # cat /tmp/foo
> Sensitive [value redacted]
>
> instead of containing the real value provided in Hiera.
>
> Any ideas?
>
> Thanks...
>
> Dirk
>
> https://blog.example42.com/2019/04/04/puppet_sensitive_data/
> https://www.puppetcookbook.com/posts/hide-sensitive-values.html
> https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code/
> --
> *Dirk Heinrichs*
> Senior Systems Engineer, Delivery Pipeline
> OpenText ™ Discovery | Recommind
> *Phone*: +49 2226 15966 18
> *Email*: [email protected]
> *Website*: www.recommind.de
> Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail sind nicht gestattet.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b8b44d0a3859790edae6d420ab256d629df227a1.camel%40opentext.com
> <https://groups.google.com/d/msgid/puppet-users/b8b44d0a3859790edae6d420ab256d629df227a1.camel%40opentext.com?utm_medium=email&utm_source=footer>
> .
>
The issue you're running into is due to the sensitive value being
interpolated:
content => "${foo}\n"
If you reference the Sensitive variable directly, then it will work as
expected:
content => $foo
This issue and some possible solutions have been discussed in
https://tickets.puppetlabs.com/browse/PUP-10092. For example, Henrik
suggested a `rewrap` function
https://tickets.puppetlabs.com/browse/PUP-10093.
Josh
--
Josh Cooper | Software Engineer
[email protected]
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97uk6m7SPOrSxxQ6YJ5nCcWF6FbYU_cvR1-nWntFm9b4MMQ%40mail.gmail.com.
