sensitive property not passed down from top level resources

[JOSEPHBODNAR]

Cookbook version

2.1.7

Chef-client version

12.18.31

Platform Details

Suse12sp2

Scenario:

We are trying to hide the display of sensitive data (e.g. Ldap Passwords) from the chef-client run logs. We have set the 'sensitive' property to 'true' on the chef_server, chef_automate, chef_supermarket, and workflow_builder resources, but this property value is not being propagated to lower-level resources (e.g. chef_ingredient, ingredient_config) and the resulting config files are being fully displayed. From the code, it looks like ingredient_config is written to accept a value that would have been passed and would honor it when rendering the config file. In addition several generated sensitive files (e.g. delivery.pem, validation.pem, builder_key) are also fully displayed.

Steps to Reproduce:

Add the property (and value) "sensitive true" when defining any of chef_server, chef_automate, chef_supermarket, or workflow_builder resources.

Expected Result:

The resulting config file (e.g. chef-server.rb, automate.rb) is not displayed in the chef-client output run.

Actual Result:

The resulting config file (including all sensitive data) is fully displayed in the chef-client output.

[wrightp]

@JOSEPHBODNAR Would you mind submitting a PR to fix the issue? That would expedite the resolution. Thanks!

[tas50]

I’m adding the Type: Jump In GitHub label to this issue. This is a great issue for someone to get their feet wet with and we’d love a PR to resolves the issue.

[wrightp]

This issue is in active development. It's a 2-part change. There is certainly an issue propagating the sensitive property to chef_ingredient/ingredient_config. The other issue is that the file and chef_file resources within the "stack" resources need to be configured to accept the sensitive property as well.

[wrightp]

merged