Mark attributes providers mark as sensitive

This updates GetResource so that the value
returned has marks where the provider's schema
has marked an attribute as sensitive
This commit is contained in:
Pam Selle 2020-10-12 14:39:09 -04:00
parent af20a769be
commit 5e2905d222
3 changed files with 47 additions and 3 deletions

View File

@ -11856,7 +11856,14 @@ variable "sensitive_map" {
resource "test_resource" "foo" { resource "test_resource" "foo" {
value = var.sensitive_map.x value = var.sensitive_map.x
}`, sensitive_value = "should get marked"
}
resource "test_resource" "bar" {
value = test_resource.foo.sensitive_value
random = test_resource.foo.id # not sensitive
}
`,
}) })
p := testProvider("test") p := testProvider("test")
@ -11893,6 +11900,12 @@ resource "test_resource" "foo" {
fooChangeSrc := plan.Changes.ResourceInstance(addr) fooChangeSrc := plan.Changes.ResourceInstance(addr)
verifySensitiveValue(fooChangeSrc.AfterValMarks) verifySensitiveValue(fooChangeSrc.AfterValMarks)
barAddr := mustResourceInstanceAddr("test_resource.bar")
barChangeSrc := plan.Changes.ResourceInstance(barAddr)
if len(barChangeSrc.AfterValMarks) != 1 {
t.Fatalf("there should only be 1 marked path for bar, there are %v", len(barChangeSrc.AfterValMarks))
}
state, diags := ctx.Apply() state, diags := ctx.Apply()
if diags.HasErrors() { if diags.HasErrors() {
t.Fatalf("apply errors: %s", diags.Err()) t.Fatalf("apply errors: %s", diags.Err())

View File

@ -425,6 +425,11 @@ func testProviderSchema(name string) *ProviderSchema {
Type: cty.String, Type: cty.String,
Optional: true, Optional: true,
}, },
"sensitive_value": {
Type: cty.String,
Sensitive: true,
Optional: true,
},
"random": { "random": {
Type: cty.String, Type: cty.String,
Optional: true, Optional: true,

View File

@ -727,7 +727,7 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
} }
// Planned resources are temporarily stored in state with empty values, // Planned resources are temporarily stored in state with empty values,
// and need to be replaced bu the planned value here. // and need to be replaced by the planned value here.
if is.Current.Status == states.ObjectPlanned { if is.Current.Status == states.ObjectPlanned {
if change == nil { if change == nil {
// If the object is in planned status then we should not get // If the object is in planned status then we should not get
@ -752,6 +752,10 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
continue continue
} }
// If our schema contains sensitive values, mark those as sensitive
if schema.ContainsSensitive() {
val = markProviderSensitiveAttributes(schema, val, nil)
}
instances[key] = val instances[key] = val
continue continue
} }
@ -768,7 +772,13 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
}) })
continue continue
} }
instances[key] = ios.Value
val := ios.Value
// If our schema contains sensitive values, mark those as sensitive
if schema.ContainsSensitive() {
val = markProviderSensitiveAttributes(schema, val, nil)
}
instances[key] = val
} }
var ret cty.Value var ret cty.Value
@ -935,3 +945,19 @@ func moduleDisplayAddr(addr addrs.ModuleInstance) string {
return addr.String() return addr.String()
} }
} }
// markProviderSensitiveAttributes returns an updated value
// where attributes that are Sensitive are marked
func markProviderSensitiveAttributes(schema *configschema.Block, val cty.Value, path cty.Path) cty.Value {
var pvm []cty.PathValueMarks
for name, attrS := range schema.Attributes {
if attrS.Sensitive {
path := append(path, cty.GetAttrStep{Name: name})
pvm = append(pvm, cty.PathValueMarks{
Path: path,
Marks: cty.NewValueMarks("sensitive"),
})
}
}
return val.MarkWithPaths(pvm)
}