Support task to encrypt all possible fields with probabilistic encryption

[spelak-salesforce]

trafficstars

If you are seeking support on using CumulusCI, please do not open an Issue. Instead, please visit us on the Trailblazer Community, or, for Nonprofit and Education customers, the Power of Us Hub

Please describe the nature of this feature request

To support developing with Shield Platform Encryption, add a task to encrypt all possible fields with probabilistic encryption for specified objects. This would allow packages to create scratch orgs and verify it's possible for a customer to encrypt all possible fields for specified objects for all supported fields.

Currently to support developing while supporting Shield Platform Encryption, we have to create custom deploy tasks that manually specify which fields need to be encrypted. What's challenging is remembering to encrypt new fields as they are created which poses the risk of referencing fields in code that prevents being able to encryptable field with probabilistic encryption.

Encryptable fields:

Essentially, only “text” and "date" Custom Field Types can be encrypted:

• “text”-like fields
  • Email
  • Phone
  • Text
  • Text Area
  • Text Area (Long)
  • Text Area (Rich)
  • URL
  • “text” like standard fields including Address fields
• “date”-like fields
  • Date
  • Date/Time

Note: Picklist, “Number”-like, and reference fields are not encryptable.

I'm interested in a new Task or Flow for CumulusCI.

Does your feature request solve a current problem? Please describe. Currently to support developing while supporting Shield Platform Encryption, we have to create custom deploy tasks that manually specify which fields need to be encrypted. What's challenging is remembering to encrypt new fields as they are created which poses the risk of referencing fields in code that prevents being able to encryptable field with probabilistic encryption.

Describe the solution you'd like A task, say encrypt_all_encryptable_fields, that:

• Supports an option specifying which Objects should have all encryptable fields encrypted with probabilistic encryption.
  • The task would do describes on these objects and calculate which fields are encryptable using the above research.
  • This could be a metadata etl task?
• Supports a way to ignore specified fields from being encrypted with probabilistic encryption.
  • Maybe this task has an objects option that is a list of objects with name and except_fields/except:

  encrypt_all_encryptable_fields:
      objects:
          - name: Account
          - name: Contact
            except: 
               - Email
  

• It'd be great, though not required, to automatically inject namespace tokens for object/field references where appropriate.

Describe alternatives you've considered Define custom deploy tasks updating Field's encryptionScheme for objects included in the deploy. Must be manually configured and manually updated.

Additional context 🚫

[davisagli]

This sounds like a good idea to me.

Is it just a matter of setting encryptionScheme in the field metadata or are there other steps needed to enable encryption?

This would be a good place to use the schema describe cache that @prescod has been working on.

[davidmreed]

I think this could fit well into the Metadata ETL framework. Rather than accepting api_names, it would override the methods to generate a package.xml to do so by walking the schema instead of accepting user input. Then updating the metadata would be easy, and there's already an example of a task that does so for CustomField in the task that sets field help text.

[spelak-salesforce]

@bethbrains

Want to pair program a proof of concept (POC)?

[davidmreed]

This feature has been developed but is blocked by bugs in the underlying platform functionality.