Automatically convert encrypted values to Sensitive[T]

[woky]

So I'm learning to use secrets and I stumbled upon https://blog.example42.com/2019/04/04/puppet_sensitive_data/ and https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code/. Both blogs get into error when they declare class parameter as Sensitive[String] $foo and receive String, and solve it by manually converting data types for each value that's deemed sensitive in YAML like this:

lookup_options:
  profile::db::password:
    convert_to: "Sensitive"

Couldn't hiera-eyaml do it automatically for all encrypted types?

I guess to not break backward compatibility this would have to be an opt-in in hiear.yaml, e.g.:

defaults:
  lookup_key: eyaml_lookup_key
  options:
    eyaml_convert_to_sensitive: true
    pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
    pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem

[woky]

I assume that this project is for editing EYAML while Puppet itself decrypts them so it's more of a request to change eyaml_lookup_key.rb.

[iscb1962]

Is this something thats likely to be done at some point ? I'm seeing more modules expecting sensitive strings and TBH its a PITA having to add lookup_options for each piece of hieradata.

[bastelfreak]

I am happy to review such a PR. Would you be interested in providing one?

[iscb1962]

I'm afraid it's probably beyond my skills to do so.