core: Fix sensitive value variable validation

Binding a sensitive value to a variable with custom validation rules
would cause a panic, as the validation expression carries the sensitive
mark when it is evaluated for truthiness. This commit drops the marks
before testing, which fixes the issue.
This commit is contained in:
Alisdair McDiarmid 2021-01-05 13:49:04 -05:00
parent 5ceb8b2b98
commit 1fa65bdd91
4 changed files with 43 additions and 0 deletions

View File

@ -6725,3 +6725,23 @@ resource "test_resource" "foo" {
}
}
}
func TestContext2Plan_variableCustomValidationsSensitive(t *testing.T) {
m := testModule(t, "validate-variable-custom-validations-child-sensitive")
p := testProvider("test")
ctx := testContext2(t, &ContextOpts{
Config: m,
Providers: map[addrs.Provider]providers.Factory{
addrs.NewDefaultProvider("test"): testProviderFuncFixed(p),
},
})
_, diags := ctx.Plan()
if !diags.HasErrors() {
t.Fatal("succeeded; want errors")
}
if got, want := diags.Err().Error(), `Invalid value for variable: Value must not be "nope".`; !strings.Contains(got, want) {
t.Fatalf("wrong error:\ngot: %s\nwant: message containing %q", got, want)
}
}

View File

@ -81,6 +81,11 @@ func evalVariableValidations(addr addrs.AbsInputVariableInstance, config *config
continue
}
// Validation condition may be marked if the input variable is bound to
// a sensitive value. This is irrelevant to the validation process, so
// we discard the marks now.
result, _ = result.Unmark()
if result.False() {
if expr != nil {
diags = diags.Append(&hcl.Diagnostic{

View File

@ -0,0 +1,8 @@
variable "test" {
type = string
validation {
condition = var.test != "nope"
error_message = "Value must not be \"nope\"."
}
}

View File

@ -0,0 +1,10 @@
variable "test" {
sensitive = true
default = "nope"
}
module "child" {
source = "./child"
test = var.test
}