Sensitive types in the Puppet language are strings marked as sensitive. The value is displayed in plain text in the catalog and manifest, but is redacted from logs and reports. Because the value is maintained as plain text, you should only use it as an aid to ensure that sensitive values are not inadvertently disclosed.
Sensitive type can be written as
Sensitive.new(val), or the short form
Sensitivetype is parameterized, but the parameterized type (the type of the value it contains) only retains the basic type. Sensitive information about the length or details about the contained data value can otherwise be leaked.
It is therefore not possible to have detailed data types and expect that the data type match. For example,
Sensitive[Enum[red, blue, green]] fails if a value of
Sensitive('red') is given. When a sensitive type is used, the type parameter must be generic; in this example a
Sensitive[String] instead would match
The example manifest would log the following notice:
$secret = Sensitive('myPassword') notice($secret)
To gain access to the original data, use the
Notice: Scope(Class[main]): Sensitive [value redacted]
$secret = Sensitive('myPassword') $processed = $secret.unwrap notice $processed
unwrap only as an aid for logs and reports. The data is not encrypted.