From 6e2ac8934a86f50e61a40148e7c0dd063d0192d9 Mon Sep 17 00:00:00 2001
From: Jiri Tyr <jiri.tyr@gmail.com>
Date: Fri, 8 Apr 2022 15:43:01 +0200
Subject: [PATCH] Support sensitive output

---
 api/v1alpha1/workspace_types.go                   |  3 +++
 config/crd/bases/app.terraform.io_workspaces.yaml |  3 +++
 workspacehelper/terraform.go                      |  1 +
 workspacehelper/terraform_test.go                 | 11 +++++++++++
 workspacehelper/tfc_output.go                     | 14 ++++++--------
 5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/api/v1alpha1/workspace_types.go b/api/v1alpha1/workspace_types.go
index 6fbc6aad..a706e64e 100644
--- a/api/v1alpha1/workspace_types.go
+++ b/api/v1alpha1/workspace_types.go
@@ -40,6 +40,9 @@ type OutputSpec struct {
 	// Attribute name in module
 	// +optional
 	ModuleOutputName string `json:"moduleOutputName"`
+	// Sensitive value
+	// +optional
+	Sensitive bool `json:"sensitive,omitempty"`
 }
 
 // OutputStatus outputs the values of Terraform output
diff --git a/config/crd/bases/app.terraform.io_workspaces.yaml b/config/crd/bases/app.terraform.io_workspaces.yaml
index 67e2c741..93a5423f 100644
--- a/config/crd/bases/app.terraform.io_workspaces.yaml
+++ b/config/crd/bases/app.terraform.io_workspaces.yaml
@@ -125,6 +125,9 @@ spec:
                     moduleOutputName:
                       description: Attribute name in module
                       type: string
+                    sensitive:
+                      description: Sensitive value
+                      type: boolean
                   type: object
                 type: array
               runTriggers:
diff --git a/workspacehelper/terraform.go b/workspacehelper/terraform.go
index 2e9defa0..d02128dd 100644
--- a/workspacehelper/terraform.go
+++ b/workspacehelper/terraform.go
@@ -33,6 +33,7 @@ func CreateTerraformTemplate(workspace *v1alpha1.Workspace) ([]byte, error) {
 	{{- range .Spec.Outputs}}
 	output "{{.Key}}" {
 		value = module.operator.{{.ModuleOutputName}}
+		sensitive = {{.Sensitive}}
 	}
 	{{- end}}
 	module "operator" {
diff --git a/workspacehelper/terraform_test.go b/workspacehelper/terraform_test.go
index f67254ac..a9e68277 100644
--- a/workspacehelper/terraform_test.go
+++ b/workspacehelper/terraform_test.go
@@ -145,9 +145,15 @@ func TestShouldCreateTerraformWithOutputs(t *testing.T) {
 	}
 	output "module_output" {
 		value = module.operator.my_output
+		sensitive = false
 	}
 	output "ip" {
 		value = module.operator.ip_address
+		sensitive = false
+	}
+	output "password" {
+		value = module.operator.my_password
+		sensitive = true
 	}
 	module "operator" {
 		source = "my_source"
@@ -174,6 +180,11 @@ func TestShouldCreateTerraformWithOutputs(t *testing.T) {
 					Key:              "ip",
 					ModuleOutputName: "ip_address",
 				},
+				{
+					Key:              "password",
+					ModuleOutputName: "my_password",
+					Sensitive:        true,
+				},
 			},
 		},
 	}
diff --git a/workspacehelper/tfc_output.go b/workspacehelper/tfc_output.go
index f6418e73..381fb9cf 100644
--- a/workspacehelper/tfc_output.go
+++ b/workspacehelper/tfc_output.go
@@ -151,14 +151,12 @@ func (t *TerraformCloudClient) GetOutputsFromState(stateDownloadURL string) ([]*
 	outputValues := file.State.Modules[""].OutputValues
 	outputs := []*v1alpha1.OutputStatus{}
 	for key, value := range outputValues {
-		if !value.Sensitive {
-			if err != nil {
-				return outputs, fmt.Errorf("output value could not be converted to string, Error, %v", err)
-			}
-			statusValue := convertValueToString(value.Value)
-			if statusValue != "" {
-				outputs = append(outputs, &v1alpha1.OutputStatus{Key: key, Value: statusValue})
-			}
+		if err != nil {
+			return outputs, fmt.Errorf("output value could not be converted to string, Error, %v", err)
+		}
+		statusValue := convertValueToString(value.Value)
+		if statusValue != "" {
+			outputs = append(outputs, &v1alpha1.OutputStatus{Key: key, Value: statusValue})
 		}
 	}
 	return outputs, nil