core: Unmark provisioner config before validation

Sensitive values in provisioner configuration would cause errors in the
validate phase. We need to unmark these value before serializing the
config value for the provisioner plugin.
This commit is contained in:
Alisdair McDiarmid 2021-02-18 10:41:43 -05:00
parent f6505870cc
commit 3f017b4413
3 changed files with 57 additions and 1 deletions

View File

@ -1965,3 +1965,46 @@ resource "test_instance" "a" {
}
}
}
func TestContext2Validate_sensitiveProvisionerConfig(t *testing.T) {
m := testModule(t, "validate-sensitive-provisioner-config")
p := testProvider("aws")
p.GetProviderSchemaResponse = &providers.GetProviderSchemaResponse{
ResourceTypes: map[string]providers.Schema{
"aws_instance": {
Block: &configschema.Block{
Attributes: map[string]*configschema.Attribute{
"foo": {Type: cty.String, Optional: true},
},
},
},
},
}
pr := simpleMockProvisioner()
c := testContext2(t, &ContextOpts{
Config: m,
Providers: map[addrs.Provider]providers.Factory{
addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
},
Provisioners: map[string]provisioners.Factory{
"test": testProvisionerFuncFixed(pr),
},
})
pr.ValidateProvisionerConfigFn = func(r provisioners.ValidateProvisionerConfigRequest) provisioners.ValidateProvisionerConfigResponse {
if r.Config.ContainsMarked() {
t.Errorf("provisioner config contains marked values")
}
return pr.ValidateProvisionerConfigResponse
}
diags := c.Validate()
if diags.HasErrors() {
t.Fatalf("unexpected error: %s", diags.Err())
}
if !pr.ValidateProvisionerConfigCalled {
t.Fatal("ValidateProvisionerConfig not called")
}
}

View File

@ -90,8 +90,10 @@ func (n *NodeValidatableResource) validateProvisioner(ctx EvalContext, p *config
return diags.Append(fmt.Errorf("EvaluateBlock returned nil value"))
}
// Use unmarked value for validate request
unmarkedConfigVal, _ := configVal.UnmarkDeep()
req := provisioners.ValidateProvisionerConfigRequest{
Config: configVal,
Config: unmarkedConfigVal,
}
resp := provisioner.ValidateProvisionerConfig(req)

View File

@ -0,0 +1,11 @@
variable "secret" {
type = string
default = " password123"
sensitive = true
}
resource "aws_instance" "foo" {
provisioner "test" {
test_string = var.secret
}
}