From 9613047e2bcb4d2d78eddc7de99f193a811a07e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Tue, 27 Jan 2026 09:18:43 -1000 Subject: [PATCH] Redact sensitive content Under the hood, a `concat` resource build a `file` resource with its content set to the concatenation of the contents of the corresponding `concat::fragment`. While each `concat::fragment` allow to pass value to its `content` parameter as a Sensitive, this information is not propagated to the built `file` resource, resulting in a diff being displayed when content of the file is updated. In order to avoid logging sesitive information, check if any of the fragments' content is sensitive, and if so make the content of the built file resource sensitive too. --- lib/puppet/type/concat_file.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/puppet/type/concat_file.rb b/lib/puppet/type/concat_file.rb index ddde4f01..e649796f 100644 --- a/lib/puppet/type/concat_file.rb +++ b/lib/puppet/type/concat_file.rb @@ -208,10 +208,12 @@ def should_content return @generated_content if @generated_content @generated_content = '' + @has_sensitive_content_fragments = false content_fragments = [] fragments.each do |r| content_fragments << ["#{r[:order]}___#{r[:name]}", fragment_content(r)] + @has_sensitive_content_fragments ||= r.parameters[:content]&.sensitive end sorted = if self[:order] == :numeric @@ -354,6 +356,7 @@ def eval_generate content = should_content catalog.resource("File[#{self[:path]}]")[:content] = content unless content.nil? + catalog.resource("File[#{self[:path]}]").parameters[:content].sensitive = @has_sensitive_content_fragments catalog.resource("File[#{self[:path]}]")[:ensure] = :absent if !self[:create_empty_file] && (content.nil? || content.empty?)