core: Fix sensitive value variable validation
Binding a sensitive value to a variable with custom validation rules would cause a panic, as the validation expression carries the sensitive mark when it is evaluated for truthiness. This commit drops the marks before testing, which fixes the issue.
This commit is contained in:
parent
5ceb8b2b98
commit
1fa65bdd91
|
@ -6725,3 +6725,23 @@ resource "test_resource" "foo" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestContext2Plan_variableCustomValidationsSensitive(t *testing.T) {
|
||||
m := testModule(t, "validate-variable-custom-validations-child-sensitive")
|
||||
|
||||
p := testProvider("test")
|
||||
ctx := testContext2(t, &ContextOpts{
|
||||
Config: m,
|
||||
Providers: map[addrs.Provider]providers.Factory{
|
||||
addrs.NewDefaultProvider("test"): testProviderFuncFixed(p),
|
||||
},
|
||||
})
|
||||
|
||||
_, diags := ctx.Plan()
|
||||
if !diags.HasErrors() {
|
||||
t.Fatal("succeeded; want errors")
|
||||
}
|
||||
if got, want := diags.Err().Error(), `Invalid value for variable: Value must not be "nope".`; !strings.Contains(got, want) {
|
||||
t.Fatalf("wrong error:\ngot: %s\nwant: message containing %q", got, want)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -81,6 +81,11 @@ func evalVariableValidations(addr addrs.AbsInputVariableInstance, config *config
|
|||
continue
|
||||
}
|
||||
|
||||
// Validation condition may be marked if the input variable is bound to
|
||||
// a sensitive value. This is irrelevant to the validation process, so
|
||||
// we discard the marks now.
|
||||
result, _ = result.Unmark()
|
||||
|
||||
if result.False() {
|
||||
if expr != nil {
|
||||
diags = diags.Append(&hcl.Diagnostic{
|
||||
|
|
8
terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf
vendored
Normal file
8
terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf
vendored
Normal file
|
@ -0,0 +1,8 @@
|
|||
variable "test" {
|
||||
type = string
|
||||
|
||||
validation {
|
||||
condition = var.test != "nope"
|
||||
error_message = "Value must not be \"nope\"."
|
||||
}
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
variable "test" {
|
||||
sensitive = true
|
||||
default = "nope"
|
||||
}
|
||||
|
||||
module "child" {
|
||||
source = "./child"
|
||||
|
||||
test = var.test
|
||||
}
|
Loading…
Reference in New Issue