core: Unmark provisioner config before validation
Sensitive values in provisioner configuration would cause errors in the validate phase. We need to unmark these value before serializing the config value for the provisioner plugin.
This commit is contained in:
parent
f6505870cc
commit
3f017b4413
|
@ -1965,3 +1965,46 @@ resource "test_instance" "a" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestContext2Validate_sensitiveProvisionerConfig(t *testing.T) {
|
||||
m := testModule(t, "validate-sensitive-provisioner-config")
|
||||
p := testProvider("aws")
|
||||
p.GetProviderSchemaResponse = &providers.GetProviderSchemaResponse{
|
||||
ResourceTypes: map[string]providers.Schema{
|
||||
"aws_instance": {
|
||||
Block: &configschema.Block{
|
||||
Attributes: map[string]*configschema.Attribute{
|
||||
"foo": {Type: cty.String, Optional: true},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
pr := simpleMockProvisioner()
|
||||
|
||||
c := testContext2(t, &ContextOpts{
|
||||
Config: m,
|
||||
Providers: map[addrs.Provider]providers.Factory{
|
||||
addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
|
||||
},
|
||||
Provisioners: map[string]provisioners.Factory{
|
||||
"test": testProvisionerFuncFixed(pr),
|
||||
},
|
||||
})
|
||||
|
||||
pr.ValidateProvisionerConfigFn = func(r provisioners.ValidateProvisionerConfigRequest) provisioners.ValidateProvisionerConfigResponse {
|
||||
if r.Config.ContainsMarked() {
|
||||
t.Errorf("provisioner config contains marked values")
|
||||
}
|
||||
return pr.ValidateProvisionerConfigResponse
|
||||
}
|
||||
|
||||
diags := c.Validate()
|
||||
if diags.HasErrors() {
|
||||
t.Fatalf("unexpected error: %s", diags.Err())
|
||||
}
|
||||
if !pr.ValidateProvisionerConfigCalled {
|
||||
t.Fatal("ValidateProvisionerConfig not called")
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,8 +90,10 @@ func (n *NodeValidatableResource) validateProvisioner(ctx EvalContext, p *config
|
|||
return diags.Append(fmt.Errorf("EvaluateBlock returned nil value"))
|
||||
}
|
||||
|
||||
// Use unmarked value for validate request
|
||||
unmarkedConfigVal, _ := configVal.UnmarkDeep()
|
||||
req := provisioners.ValidateProvisionerConfigRequest{
|
||||
Config: configVal,
|
||||
Config: unmarkedConfigVal,
|
||||
}
|
||||
|
||||
resp := provisioner.ValidateProvisionerConfig(req)
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
variable "secret" {
|
||||
type = string
|
||||
default = " password123"
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
resource "aws_instance" "foo" {
|
||||
provisioner "test" {
|
||||
test_string = var.secret
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue