From 577b1ea2afc07409f41844b9eb5becc9897b38f0 Mon Sep 17 00:00:00 2001 From: Alisdair McDiarmid Date: Fri, 18 Dec 2020 11:19:02 -0500 Subject: [PATCH] core: Fix for sensitive data source arguments --- terraform/context_apply_test.go | 47 +++++++++++++++++++ terraform/node_resource_abstract_instance.go | 8 ++++ .../testdata/apply-data-sensitive/main.tf | 8 ++++ 3 files changed, 63 insertions(+) create mode 100644 terraform/testdata/apply-data-sensitive/main.tf diff --git a/terraform/context_apply_test.go b/terraform/context_apply_test.go index f332aeec7..df1023a80 100644 --- a/terraform/context_apply_test.go +++ b/terraform/context_apply_test.go @@ -12331,3 +12331,50 @@ resource "test_instance" "a" { } } } + +func TestContext2Apply_dataSensitive(t *testing.T) { + m := testModule(t, "apply-data-sensitive") + p := testProvider("null") + p.ApplyResourceChangeFn = testApplyFn + p.PlanResourceChangeFn = testDiffFn + p.ReadDataSourceFn = func(req providers.ReadDataSourceRequest) providers.ReadDataSourceResponse { + // add the required id + m := req.Config.AsValueMap() + m["id"] = cty.StringVal("foo") + + return providers.ReadDataSourceResponse{ + State: cty.ObjectVal(m), + } + } + + ctx := testContext2(t, &ContextOpts{ + Config: m, + Providers: map[addrs.Provider]providers.Factory{ + addrs.NewDefaultProvider("null"): testProviderFuncFixed(p), + }, + }) + + if p, diags := ctx.Plan(); diags.HasErrors() { + t.Fatalf("diags: %s", diags.Err()) + } else { + t.Logf(legacyDiffComparisonString(p.Changes)) + } + + state, diags := ctx.Apply() + assertNoErrors(t, diags) + + addr := mustResourceInstanceAddr("data.null_data_source.testing") + + dataSourceState := state.ResourceInstance(addr) + pvms := dataSourceState.Current.AttrSensitivePaths + if len(pvms) != 1 { + t.Fatalf("expected 1 sensitive path, got %d", len(pvms)) + } + pvm := pvms[0] + if gotPath, wantPath := pvm.Path, cty.GetAttrPath("foo"); !gotPath.Equals(wantPath) { + t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath) + } + if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) { + t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks) + } +} diff --git a/terraform/node_resource_abstract_instance.go b/terraform/node_resource_abstract_instance.go index 18846047a..224c18d51 100644 --- a/terraform/node_resource_abstract_instance.go +++ b/terraform/node_resource_abstract_instance.go @@ -1194,6 +1194,10 @@ func (n *NodeAbstractResourceInstance) readDataSource(ctx EvalContext, configVal return newVal, diags } + // Unmark before sending to provider, will re-mark before returning + var pvm []cty.PathValueMarks + configVal, pvm = configVal.UnmarkDeepWithPaths() + log.Printf("[TRACE] readDataSource: Re-validating config for %s", n.Addr) validateResp := provider.ValidateDataSourceConfig( providers.ValidateDataSourceConfigRequest{ @@ -1269,6 +1273,10 @@ func (n *NodeAbstractResourceInstance) readDataSource(ctx EvalContext, configVal newVal = cty.UnknownAsNull(newVal) } + if len(pvm) > 0 { + newVal = newVal.MarkWithPaths(pvm) + } + return newVal, diags } diff --git a/terraform/testdata/apply-data-sensitive/main.tf b/terraform/testdata/apply-data-sensitive/main.tf new file mode 100644 index 000000000..c248a7c33 --- /dev/null +++ b/terraform/testdata/apply-data-sensitive/main.tf @@ -0,0 +1,8 @@ +variable "foo" { + sensitive = true + default = "foo" +} + +data "null_data_source" "testing" { + foo = var.foo +}