On Wed, Sep 9, 2020 at 6:17 AM 'Dirk Heinrichs' via Puppet Users <
puppet-users@googlegroups.com> wrote:
> Hi,
>
> tried to use the "Sensitive" data type for the first time (with Puppet
> 6.18.0), but it doesn't work as expected (found and followed several
> tutorials on the net, see links below), also using the "lookup_options"
> method to ensure the Hiera-provided value is indeed converted to sensitive.
>
> Here's my sample code (Hiera files omitted):
>
> class test (Sensitive $foo) {
> file {'/tmp/foo':
> content => "${foo}\n",
> }
> }
>
> When I run this, I get:
>
> Notice: /Stage[main]/Test/File[/tmp/foo]/content:
> --- /tmp/foo 2020-09-09 07:53:40.166807782 +0200
> +++ /tmp/puppet-file20200909-18841-zq93gr 2020-09-09
> 14:55:05.569695841 +0200
> @@ -1 +1 @@
> -bar
> +Sensitive [value redacted]
>
> Notice: /Stage[main]/Test/File[/tmp/foo]/content: content changed
> '{md5}fc552...' to '{md5}48a07...'
>
> and then the file indeed looks like this:
>
> # cat /tmp/foo
> Sensitive [value redacted]
>
> instead of containing the real value provided in Hiera.
>
> Any ideas?
>
> Thanks...
>
> Dirk
>
> https://blog.example42.com/2019/04/04/puppet_sensitive_data/
> https://www.puppetcookbook.com/posts/hide-sensitive-values.html
> https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code/
> --
> *Dirk Heinrichs*
> Senior Systems Engineer, Delivery Pipeline
> OpenText ™ Discovery | Recommind
> *Phone*: +49 2226 15966 18
> *Email*: dhein...@opentext.com
> *Website*: www.recommind.de
> Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail sind nicht gestattet.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b8b44d0a3859790edae6d420ab256d629df227a1.camel%40opentext.com
> <https://groups.google.com/d/msgid/puppet-users/b8b44d0a3859790edae6d420ab256d629df227a1.camel%40opentext.com?utm_medium=email&utm_source=footer>
> .
>
The issue you're running into is due to the sensitive value being
interpolated:
content => "${foo}\n"
If you reference the Sensitive variable directly, then it will work as
expected:
content => $foo
This issue and some possible solutions have been discussed in
https://tickets.puppetlabs.com/browse/PUP-10092. For example, Henrik
suggested a `rewrap` function
https://tickets.puppetlabs.com/browse/PUP-10093.
Josh
--
Josh Cooper | Software Engineer
j...@puppet.com
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97uk6m7SPOrSxxQ6YJ5nCcWF6FbYU_cvR1-nWntFm9b4MMQ%40mail.gmail.com.
