dbt-labs · emmyoop · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024
@@ -0,0 +1,6 @@
+kind: Under the Hood
+body: Remove the final underscore from secret environment variable constants.
+time: 2024-04-26T09:02:22.481158-05:00
+custom:
+  Author: emmyoop
+  Issue: "10052"
@@ -1,4 +1,4 @@
-SECRET_ENV_PREFIX = "DBT_ENV_SECRET_"
+SECRET_ENV_PREFIX = "DBT_ENV_SECRET"
 DEFAULT_ENV_PLACEHOLDER = "DBT_DEFAULT_PLACEHOLDER"
 METADATA_ENV_PREFIX = "DBT_ENV_CUSTOM_ENV_"
 

@@ -21,7 +21,7 @@ def env_var(self, var: str, default: Optional[str] = None) -> str:
 
         If the default is None, raise an exception for an undefined variable.
 
-        In this context *only*, env_var will accept env vars prefixed with DBT_ENV_SECRET_.
+        In this context *only*, env_var will accept env vars prefixed with DBT_ENV_SECRET.
         It will return the name of the secret env var, wrapped in 'start' and 'end' identifiers.
         The actual value will be subbed in later in SecretRenderer.render_value()
         """

@@ -55,13 +55,13 @@ def setup(self):
         os.environ["DBT_TEST_ENV_VAR"] = "1"
         os.environ["DBT_TEST_USER"] = "root"
         os.environ["DBT_TEST_PASS"] = "password"
-        os.environ[SECRET_ENV_PREFIX + "SECRET"] = "secret_variable"
+        os.environ[SECRET_ENV_PREFIX + "_SECRET"] = "secret_variable"
         os.environ["DBT_TEST_NOT_SECRET"] = "regular_variable"
         os.environ["DBT_TEST_IGNORE_DEFAULT"] = "ignored_default"
         yield
         del os.environ["DBT_TEST_ENV_VAR"]
         del os.environ["DBT_TEST_USER"]
-        del os.environ[SECRET_ENV_PREFIX + "SECRET"]
+        del os.environ[SECRET_ENV_PREFIX + "_SECRET"]
         del os.environ["DBT_TEST_NOT_SECRET"]
         del os.environ["DBT_TEST_IGNORE_DEFAULT"]
 

@@ -73,15 +73,15 @@ def test_disallow_secret(self, project):
 class TestAllowSecretProfilePackage(FirstDependencyProject):
     @pytest.fixture(scope="class", autouse=True)
     def setup(self):
-        os.environ[SECRET_ENV_PREFIX + "USER"] = "root"
-        os.environ[SECRET_ENV_PREFIX + "PASS"] = "password"
-        os.environ[SECRET_ENV_PREFIX + "PACKAGE"] = "first_dependency"
-        os.environ[SECRET_ENV_PREFIX + "GIT_TOKEN"] = "abc123"
+        os.environ[SECRET_ENV_PREFIX + "_USER"] = "root"
+        os.environ[SECRET_ENV_PREFIX + "_PASS"] = "password"
+        os.environ[SECRET_ENV_PREFIX + "_PACKAGE"] = "first_dependency"
+        os.environ[SECRET_ENV_PREFIX + "_GIT_TOKEN"] = "abc123"
         yield
-        del os.environ[SECRET_ENV_PREFIX + "USER"]
-        del os.environ[SECRET_ENV_PREFIX + "PASS"]
-        del os.environ[SECRET_ENV_PREFIX + "PACKAGE"]
-        del os.environ[SECRET_ENV_PREFIX + "GIT_TOKEN"]
+        del os.environ[SECRET_ENV_PREFIX + "_USER"]
+        del os.environ[SECRET_ENV_PREFIX + "_PASS"]
+        del os.environ[SECRET_ENV_PREFIX + "_PACKAGE"]
+        del os.environ[SECRET_ENV_PREFIX + "_GIT_TOKEN"]
 
     @pytest.fixture(scope="class")
     def models(self):
@@ -137,7 +137,7 @@ def test_allow_secrets(self, project, first_dependency):
 class TestCloneFailSecretScrubbed:
     @pytest.fixture(scope="class", autouse=True)
     def setup(self):
-        os.environ[SECRET_ENV_PREFIX + "GIT_TOKEN"] = "abc123"
+        os.environ[SECRET_ENV_PREFIX + "_GIT_TOKEN"] = "abc123"
 
     @pytest.fixture(scope="class")
     def models(self):

@@ -358,7 +358,7 @@ def dbt_profile_target(self):
 
         # user is secret and password is not. postgres on macos doesn't care if the password
         # changes so we have to change the user. related: https://github.com/dbt-labs/dbt-core/pull/4250
-        os.environ[SECRET_ENV_PREFIX + "USER"] = "root"
+        os.environ[SECRET_ENV_PREFIX + "_USER"] = "root"
         os.environ["ENV_VAR_PASS"] = "password"
         return {
             "type": "postgres",
@@ -373,15 +373,15 @@ def dbt_profile_target(self):
     def test_profile_secret_env_vars(self, project):
 
         # Initial run
-        os.environ[SECRET_ENV_PREFIX + "USER"] = "root"
+        os.environ[SECRET_ENV_PREFIX + "_USER"] = "root"
         os.environ["ENV_VAR_PASS"] = "password"
 
         results = run_dbt(["run"])
         manifest = get_manifest(project.project_root)
         env_vars_checksum = manifest.state_check.profile_env_vars_hash.checksum
 
         # Change a secret var, it shouldn't register because we shouldn't save secrets.
-        os.environ[SECRET_ENV_PREFIX + "USER"] = "fake_user"
+        os.environ[SECRET_ENV_PREFIX + "_USER"] = "fake_user"
         # we just want to see if the manifest has included
         # the secret in the hash of environment variables.
         (results, log_output) = run_dbt_and_capture(["run"], expect_pass=True)