nonsensitive -> sensitive

Author: sourcehawk

examples/docker-init/main.tf

@@ -71,7 +71,7 @@ resource "null_resource" "postgres_docker" {
       "PG_DATABASE" = local.maintenance_database
       "PG_PORT"     = local.database_port
       # If you declare it here, it will be stored in the state file, you can move it inside the template to prevent that.
-      "PG_PASSWORD" = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.user_credentials.secret_string)["password"])
+      "PG_PASSWORD" = sensitive(jsondecode(data.aws_secretsmanager_secret_version.user_credentials.secret_string)["password"])
     }
     quiet   = true
     command = <<EOT

modules/credentials/database/_variables.tf

@@ -78,5 +78,5 @@ variable "engine" {
 
 locals {
   id                = var.id == null ? "master" : var.id
-  database_password = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])
+  database_password = sensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])
 }

modules/credentials/user/_variables.tf

@@ -83,5 +83,5 @@ variable "regenerate_password" {
 
 locals {
   id                = var.id == null ? "master" : var.id
-  password_supplied = nonsensitive(var.password == null ? "false" : "true")
+  password_supplied = sensitive(var.password == null ? "false" : "true")
 }

modules/credentials/user/main.tf

@@ -21,7 +21,7 @@ resource "null_resource" "user_credentials" {
     if [ "${local.password_supplied}" = "false" ]; then
       PASSWORD=$(openssl rand -base64 256 | tr -dc 'A-Za-z0-9_!@#' | head -c 16)
     else
-      PASSWORD='${nonsensitive(var.password == null ? "" : var.password)}'
+      PASSWORD='${sensitive(var.password == null ? "" : var.password)}'
     fi
 
     if [ "$SECRET_EXISTS" = "not-found" ]; then

modules/postgres_init/modules/database/_data.tf

@@ -1,10 +1,10 @@
 data "aws_secretsmanager_secret" "superuser" {
-  count = nonsensitive(var.conn.password) == null ? 1 : 0
+  count = sensitive(var.conn.password) == null ? 1 : 0
   name  = "${var.conn.environment}/database-server/${var.conn.server_name}/user/master"
 }
 
 data "aws_secretsmanager_secret_version" "superuser" {
-  count         = nonsensitive(var.conn.password) == null ? 1 : 0
+  count         = sensitive(var.conn.password) == null ? 1 : 0
   secret_id     = data.aws_secretsmanager_secret.superuser[0].id
   version_stage = "AWSCURRENT"
 }

modules/postgres_init/modules/database/_variables.tf

@@ -69,8 +69,8 @@ locals {
   owner_name     = jsondecode(data.aws_secretsmanager_secret_version.owner.secret_string)["username"]
   extensions_map = { for ext in var.extensions : "${ext.name}@${ext.schema}" => ext }
   schemas_map    = { for schema in var.schemas : schema => schema }
-  pg_password = (nonsensitive(var.conn.password) == null
-    ? nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.superuser[0].secret_string)["password"])
-    : nonsensitive(var.conn.password)
+  pg_password = (sensitive(var.conn.password) == null
+    ? sensitive(jsondecode(data.aws_secretsmanager_secret_version.superuser[0].secret_string)["password"])
+    : sensitive(var.conn.password)
   )
 }

modules/postgres_init/modules/database/main.tf

@@ -30,7 +30,7 @@ resource "null_resource" "create_database" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     export DATABASE_NAME="${var.name}"
     export DATABASE_OWNER="${local.owner_name}"
     chmod +x ${path.module}/sql/create_database.sh
@@ -55,7 +55,7 @@ resource "null_resource" "rename_database" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     if [ "${var.old_name == null ? "" : var.old_name}" = "" ]; then
       echo "Detected change in database name but old_name was not provided. Skipping database renaming."
       exit 0
@@ -92,7 +92,7 @@ resource "null_resource" "create_schema" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     psql \
     -v ON_ERROR_STOP=1 \
     -v schema_name="${each.value}" \
@@ -121,7 +121,7 @@ resource "null_resource" "create_extension" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     psql \
     -v ON_ERROR_STOP=1 \
     -v schema_name="${each.value.schema}" \

modules/postgres_init/modules/script/_variables.tf

@@ -83,16 +83,16 @@ variable "rerun_on_user_change" {
 }
 
 locals {
-  must_retrieve_user     = !(var.user_id == "master" && nonsensitive(var.conn.password) != null)
-  must_retrieve_database = !(var.database_id == "master" && nonsensitive(var.conn.password) != null)
+  must_retrieve_user     = !(var.user_id == "master" && sensitive(var.conn.password) != null)
+  must_retrieve_database = !(var.database_id == "master" && sensitive(var.conn.password) != null)
 }
 
 locals {
   secrets = {
     for k, v in var.secrets : k => (
       lookup(v, "key", null) == null
-      ? nonsensitive(data.aws_secretsmanager_secret_version.secrets[k].secret_string)
-      : nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.secrets[k].secret_string)[v.key])
+      ? sensitive(data.aws_secretsmanager_secret_version.secrets[k].secret_string)
+      : sensitive(jsondecode(data.aws_secretsmanager_secret_version.secrets[k].secret_string)[v.key])
     )
   }
   pg_user = (
@@ -102,8 +102,8 @@ locals {
   )
   pg_password = (
     local.must_retrieve_user
-    ? nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.user[0].secret_string)["password"])
-    : nonsensitive(var.conn.password)
+    ? sensitive(jsondecode(data.aws_secretsmanager_secret_version.user[0].secret_string)["password"])
+    : sensitive(var.conn.password)
   )
   pg_database = (
     local.must_retrieve_database
@@ -114,8 +114,8 @@ locals {
 
 locals {
   user_change = (
-    nonsensitive(var.conn.password) == null
+    sensitive(var.conn.password) == null
     ? data.aws_secretsmanager_secret_version.user[0].version_id
-    : sha256("${local.pg_user}-${sha256(nonsensitive(var.conn.password))}")
+    : sha256("${local.pg_user}-${sha256(sensitive(var.conn.password))}")
   )
 }

modules/postgres_init/modules/script/main.tf

@@ -19,7 +19,7 @@ resource "null_resource" "shell_script" {
     })
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     chmod +x ${var.script}
     ${var.script}
     EOT
@@ -46,7 +46,7 @@ resource "null_resource" "sql_script" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     psql \
     -v ON_ERROR_STOP=1 \
     %{~for v in keys(var.variables)~}

modules/postgres_init/modules/user/_data.tf

@@ -1,10 +1,10 @@
 data "aws_secretsmanager_secret" "superuser" {
-  count = nonsensitive(var.conn.password) == null ? 1 : 0
+  count = sensitive(var.conn.password) == null ? 1 : 0
   name  = "${var.conn.environment}/database-server/${var.conn.server_name}/user/master"
 }
 
 data "aws_secretsmanager_secret_version" "superuser" {
-  count         = nonsensitive(var.conn.password) == null ? 1 : 0
+  count         = sensitive(var.conn.password) == null ? 1 : 0
   secret_id     = data.aws_secretsmanager_secret.superuser[0].id
   version_stage = "AWSCURRENT"
 }

modules/postgres_init/modules/user/_variables.tf

@@ -64,12 +64,12 @@ variable "regenerate_password" {
 }
 
 locals {
-  pg_password = (nonsensitive(var.conn.password) == null
-    ? nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.superuser[0].secret_string)["password"])
-    : nonsensitive(var.conn.password)
+  pg_password = (sensitive(var.conn.password) == null
+    ? sensitive(jsondecode(data.aws_secretsmanager_secret_version.superuser[0].secret_string)["password"])
+    : sensitive(var.conn.password)
   )
   user_password = (var.password == null
-    ? nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])
+    ? sensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])
     : var.password
   )
 }

modules/postgres_init/modules/user/main.tf

@@ -32,7 +32,7 @@ resource "null_resource" "update_username" {
       echo "Detected change in username but old_name was not provided. Skipping user renaming."
       exit 0
     fi
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     export NEW_USERNAME=${var.name}
     export OLD_USERNAME=${var.old_name == null ? "" : var.old_name}
     if [ "$NEW_USERNAME" = "$OLD_USERNAME" ]; then
@@ -64,9 +64,9 @@ resource "null_resource" "create_user_or_update_password" {
     }
     command = <<EOT
     set -e
-    export PGPASSWORD='${nonsensitive(local.pg_password)}'
+    export PGPASSWORD='${sensitive(local.pg_password)}'
     export USERNAME=${var.name}
-    export PASSWORD='${nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])}'
+    export PASSWORD='${sensitive(jsondecode(data.aws_secretsmanager_secret_version.user.secret_string)["password"])}'
     chmod +x ${path.module}/sql/create_user.sh
     ${path.module}/sql/create_user.sh
     EOT

modules/postgres_rds/_variables.tf

@@ -189,7 +189,7 @@ locals {
   ]
   master_password = (
     var.existing_user_credentials == null
-    ? nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.master.secret_string)["password"])
+    ? sensitive(jsondecode(data.aws_secretsmanager_secret_version.master.secret_string)["password"])
     : var.existing_user_credentials.password
   )
 }

modules/postgres_rds/main.tf

@@ -289,7 +289,7 @@ resource "null_resource" "update_master_password" {
 
     wait_for_available ${aws_db_instance.this.identifier}
 
-    export PGPASSWORD='${nonsensitive(local.master_password)}'
+    export PGPASSWORD='${sensitive(local.master_password)}'
 
     # Wait for the password change to take effect
     attempts=0