writeonlyhash

package
v0.16.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Overview

Package writeonlyhash provides bcrypt-backed hashing for write-only secret attributes stored in Terraform resource private state.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Hasher 

type Hasher struct {
	// Salt is the per-resource-type salt derived from the resourceTypeName
	// passed to New. It namespaces values before bcrypt hashing.
	Salt []byte

	// Cost is the bcrypt cost parameter. Zero means defaultCost (10).
	Cost int
}

Hasher manages bcrypt-based private-state hashes for write-only attributes. It binds a per-resource-type salt so the same secret value produces different hashes across resource types. Cost controls bcrypt work factor; when Cost is zero, Compute uses the default of 10. A Hasher must not be shared across resource types—construct one per resource via New with that resource's stable type identifier.

func New 

func New(resourceTypeName string) *Hasher

New returns a Hasher whose salt is derived from resourceTypeName. Use a stable, unique string per Terraform resource type (for example "elasticsearch_connector" or "fleet_cloud_connector"). The same plaintext value hashed under different resource type names will not verify on another Hasher.

func (*Hasher) Compute 

func (h *Hasher) Compute(value string) ([]byte, error)

Compute returns a bcrypt hash of value suitable for storage in resource private state. When Cost is zero, the default bcrypt cost of 10 is used. Errors never include the input value.

func (*Hasher) Matches 

func (h *Hasher) Matches(value string, storedHash []byte) bool

Matches reports whether value corresponds to storedHash as produced by Compute on this Hasher. It returns false when the value does not match or when bcrypt comparison fails for any reason.

func (*Hasher) PrivateStateKey 

func (h *Hasher) PrivateStateKey(attributePath string) string

PrivateStateKey returns a stable private-state key for the write-only attribute identified by attributePath. The format is secret_hash:<attributePath> (for example secret_hash:aws.external_id or secret_hash:configuration_values["password"].secret_value). attributePath is not modified; the caller must supply a path that uniquely identifies the attribute, including map key indices in bracket notation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.