ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #27131 from hashicorp/pselle/double-marks 

Avoid double-marking variables
This commit is contained in:
Pam Selle 2020-12-04 13:21:54 -05:00 committed by GitHub
parent 3b4079d451 12b5d437da
commit ae025248cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 62 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
terraform/context_plan_test.go
View File

@ -5603,6 +5603,12 @@ func TestContext2Plan_variableSensitivityModule(t *testing.T) {
Providers: map[addrs.Provider]providers.Factory{ Providers: map[addrs.Provider]providers.Factory{
addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p), addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
}, },
Variables: InputValues{
"another_var": &InputValue{
Value: cty.StringVal("boop"),
SourceType: ValueFromCaller,
},
},
}) })
plan, diags := ctx.Plan() plan, diags := ctx.Plan()
@ -5628,21 +5634,32 @@ func TestContext2Plan_variableSensitivityModule(t *testing.T) {
switch i := ric.Addr.String(); i { switch i := ric.Addr.String(); i {
case "module.child.aws_instance.foo": case "module.child.aws_instance.foo":
checkVals(t, objectVal(t, schema, map[string]cty.Value{ checkVals(t, objectVal(t, schema, map[string]cty.Value{
"foo": cty.StringVal("foo"), "foo": cty.StringVal("foo"),
"value": cty.StringVal("boop"),
}), ric.After) }), ric.After)
if len(res.ChangeSrc.BeforeValMarks) != 0 { if len(res.ChangeSrc.BeforeValMarks) != 0 {
t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks) t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks)
} }
if len(res.ChangeSrc.AfterValMarks) != 1 { if len(res.ChangeSrc.AfterValMarks) != 2 {
t.Errorf("unexpected AfterValMarks: %#v", res.ChangeSrc.AfterValMarks) t.Errorf("expected AfterValMarks to contain two elements: %#v", res.ChangeSrc.AfterValMarks)
continue continue
} }
pvm := res.ChangeSrc.AfterValMarks[0] // validate that the after marks have "foo" and "value"
if got, want := pvm.Path, cty.GetAttrPath("foo"); !got.Equals(want) { contains := func(pvmSlice []cty.PathValueMarks, stepName string) bool {
t.Errorf("unexpected path for mark\n got: %#v\nwant: %#v", got, want) for _, pvm := range pvmSlice {
if pvm.Path.Equals(cty.GetAttrPath(stepName)) {
if pvm.Marks.Equal(cty.NewValueMarks("sensitive")) {
return true
}
}
}
return false
} }
if got, want := pvm.Marks, cty.NewValueMarks("sensitive"); !got.Equal(want) { if !contains(res.ChangeSrc.AfterValMarks, "foo") {
t.Errorf("unexpected value for mark\n got: %#v\nwant: %#v", got, want) t.Error("unexpected AfterValMarks to contain \"foo\" with sensitive mark")
}
if !contains(res.ChangeSrc.AfterValMarks, "value") {
t.Error("unexpected AfterValMarks to contain \"value\" with sensitive mark")
} }
default: default:
t.Fatal("unknown instance:", i) t.Fatal("unknown instance:", i)

3
terraform/evaluate.go
View File

@ -297,7 +297,8 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
val = cty.UnknownVal(wantType) val = cty.UnknownVal(wantType)
} }
if config.Sensitive { // Mark if sensitive, and avoid double-marking if this has already been marked
if config.Sensitive && !val.HasMark("sensitive") {
val = val.Mark("sensitive") val = val.Mark("sensitive")
} }

23
terraform/evaluate_test.go
View File

@ -99,11 +99,20 @@ func TestEvaluatorGetInputVariable(t *testing.T) {
Sensitive: true, Sensitive: true,
Default: cty.StringVal("foo"), Default: cty.StringVal("foo"),
}, },
// Avoid double marking a value
"some_other_var": {
Name: "some_other_var",
Sensitive: true,
Default: cty.StringVal("bar"),
},
}, },
}, },
}, },
VariableValues: map[string]map[string]cty.Value{ VariableValues: map[string]map[string]cty.Value{
"": {"some_var": cty.StringVal("bar")}, "": {
"some_var": cty.StringVal("bar"),
"some_other_var": cty.StringVal("boop").Mark("sensitive"),
},
}, },
VariableValuesLock: &sync.Mutex{}, VariableValuesLock: &sync.Mutex{},
} }
@ -124,6 +133,18 @@ func TestEvaluatorGetInputVariable(t *testing.T) {
if !got.RawEquals(want) { if !got.RawEquals(want) {
t.Errorf("wrong result %#v; want %#v", got, want) t.Errorf("wrong result %#v; want %#v", got, want)
} }
want = cty.StringVal("boop").Mark("sensitive")
got, diags = scope.Data.GetInputVariable(addrs.InputVariable{
Name: "some_other_var",
}, tfdiags.SourceRange{})
if len(diags) != 0 {
t.Errorf("unexpected diagnostics %s", spew.Sdump(diags))
}
if !got.RawEquals(want) {
t.Errorf("wrong result %#v; want %#v", got, want)
}
} }
func TestEvaluatorGetResource(t *testing.T) { func TestEvaluatorGetResource(t *testing.T) {

10
terraform/testdata/plan-variable-sensitivity-module/child/main.tf vendored
View File

@ -2,6 +2,12 @@ variable "foo" {
type = string type = string
} }
resource "aws_instance" "foo" { // "bar" is defined as sensitive by both the parent and the child
foo = var.foo variable "bar" {
sensitive = true
}
resource "aws_instance" "foo" {
foo = var.foo
value = var.bar
} }

5
terraform/testdata/plan-variable-sensitivity-module/main.tf vendored
View File

@ -3,7 +3,12 @@ variable "sensitive_var" {
sensitive = true sensitive = true
} }
variable "another_var" {
sensitive = true
}
module "child" { module "child" {
source = "./child" source = "./child"
foo = var.sensitive_var foo = var.sensitive_var
bar = var.another_var
} }