Merge pull request #29039 from hashicorp/jbardin/sensitive

New marks.Sensitive type, and audit of sensitive marks usage
This commit is contained in:
James Bardin 2021-06-25 17:11:59 -04:00 committed by GitHub
commit c687ebeaf1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
45 changed files with 326 additions and 231 deletions

View File

@ -11,6 +11,7 @@ import (
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
viewsjson "github.com/hashicorp/terraform/internal/command/views/json" viewsjson "github.com/hashicorp/terraform/internal/command/views/json"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
) )
@ -123,7 +124,7 @@ func TestDiagnostic(t *testing.T) {
EvalContext: &hcl.EvalContext{ EvalContext: &hcl.EvalContext{
Variables: map[string]cty.Value{ Variables: map[string]cty.Value{
"boop": cty.ObjectVal(map[string]cty.Value{ "boop": cty.ObjectVal(map[string]cty.Value{
"beep": cty.StringVal("blah").Mark("sensitive"), "beep": cty.StringVal("blah").Mark(marks.Sensitive),
}), }),
}, },
}, },
@ -336,7 +337,7 @@ Whatever shall we do?
EvalContext: &hcl.EvalContext{ EvalContext: &hcl.EvalContext{
Variables: map[string]cty.Value{ Variables: map[string]cty.Value{
"boop": cty.ObjectVal(map[string]cty.Value{ "boop": cty.ObjectVal(map[string]cty.Value{
"beep": cty.StringVal("blah").Mark("sensitive"), "beep": cty.StringVal("blah").Mark(marks.Sensitive),
}), }),
}, },
}, },

View File

@ -14,6 +14,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/plans/objchange" "github.com/hashicorp/terraform/internal/plans/objchange"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
@ -733,7 +734,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiffs(name string, blockS *config
// If either the old or the new value is marked, // If either the old or the new value is marked,
// Display a special diff because it is irrelevant // Display a special diff because it is irrelevant
// to list all obfuscated attributes as (sensitive) // to list all obfuscated attributes as (sensitive)
if old.IsMarked() || new.IsMarked() { if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path) p.writeSensitiveNestedBlockDiff(name, old, new, indent, blankBefore, path)
return 0 return 0
} }
@ -1012,7 +1013,7 @@ func (p *blockBodyDiffPrinter) writeNestedBlockDiff(name string, label *string,
func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) { func (p *blockBodyDiffPrinter) writeValue(val cty.Value, action plans.Action, indent int) {
// Could check specifically for the sensitivity marker // Could check specifically for the sensitivity marker
if val.IsMarked() { if val.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString("(sensitive)")
return return
} }
@ -1177,7 +1178,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
// However, these specialized implementations can apply only if both // However, these specialized implementations can apply only if both
// values are known and non-null. // values are known and non-null.
if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual { if old.IsKnown() && new.IsKnown() && !old.IsNull() && !new.IsNull() && typesEqual {
if old.IsMarked() || new.IsMarked() { if old.HasMark(marks.Sensitive) || new.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString("(sensitive)")
if p.pathForcesNewResource(path) { if p.pathForcesNewResource(path) {
p.buf.WriteString(p.color.Color(forcesNewResourceCaption)) p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
@ -1548,7 +1549,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
switch action { switch action {
case plans.Create, plans.NoOp: case plans.Create, plans.NoOp:
v := new.Index(kV) v := new.Index(kV)
if v.IsMarked() { if v.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString("(sensitive)")
} else { } else {
p.writeValue(v, action, indent+4) p.writeValue(v, action, indent+4)
@ -1558,7 +1559,7 @@ func (p *blockBodyDiffPrinter) writeValueDiff(old, new cty.Value, indent int, pa
newV := cty.NullVal(oldV.Type()) newV := cty.NullVal(oldV.Type())
p.writeValueDiff(oldV, newV, indent+4, path) p.writeValueDiff(oldV, newV, indent+4, path)
default: default:
if oldV.IsMarked() || newV.IsMarked() { if oldV.HasMark(marks.Sensitive) || newV.HasMark(marks.Sensitive) {
p.buf.WriteString("(sensitive)") p.buf.WriteString("(sensitive)")
} else { } else {
p.writeValueDiff(oldV, newV, indent+4, path) p.writeValueDiff(oldV, newV, indent+4, path)
@ -1738,7 +1739,7 @@ func (p *blockBodyDiffPrinter) writeSensitivityWarning(old, new cty.Value, inden
} }
} }
if new.IsMarked() && !old.IsMarked() { if new.HasMark(marks.Sensitive) && !old.HasMark(marks.Sensitive) {
p.buf.WriteString(strings.Repeat(" ", indent)) p.buf.WriteString(strings.Repeat(" ", indent))
p.buf.WriteString(p.color.Color(fmt.Sprintf("# [yellow]Warning:[reset] this %s will be marked as sensitive and will not\n", diffType))) p.buf.WriteString(p.color.Color(fmt.Sprintf("# [yellow]Warning:[reset] this %s will be marked as sensitive and will not\n", diffType)))
p.buf.WriteString(strings.Repeat(" ", indent)) p.buf.WriteString(strings.Repeat(" ", indent))
@ -1746,7 +1747,7 @@ func (p *blockBodyDiffPrinter) writeSensitivityWarning(old, new cty.Value, inden
} }
// Note if changing this attribute will change its sensitivity // Note if changing this attribute will change its sensitivity
if old.IsMarked() && !new.IsMarked() { if old.HasMark(marks.Sensitive) && !new.HasMark(marks.Sensitive) {
p.buf.WriteString(strings.Repeat(" ", indent)) p.buf.WriteString(strings.Repeat(" ", indent))
p.buf.WriteString(p.color.Color(fmt.Sprintf("# [yellow]Warning:[reset] this %s will no longer be marked as sensitive\n", diffType))) p.buf.WriteString(p.color.Color(fmt.Sprintf("# [yellow]Warning:[reset] this %s will no longer be marked as sensitive\n", diffType)))
p.buf.WriteString(strings.Repeat(" ", indent)) p.buf.WriteString(strings.Repeat(" ", indent))

View File

@ -7,6 +7,7 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/mitchellh/colorstring" "github.com/mitchellh/colorstring"
@ -3193,28 +3194,28 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
AfterValMarks: []cty.PathValueMarks{ AfterValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(1)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(1)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
// Nested blocks/sets will mark the whole set/block as sensitive // Nested blocks/sets will mark the whole set/block as sensitive
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_list"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_list"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3338,35 +3339,35 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
BeforeValMarks: []cty.PathValueMarks{ BeforeValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "special"}}, Path: cty.Path{cty.GetAttrStep{Name: "special"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "some_number"}}, Path: cty.Path{cty.GetAttrStep{Name: "some_number"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(2)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(2)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3485,23 +3486,23 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
AfterValMarks: []cty.PathValueMarks{ AfterValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "tags"}, cty.IndexStep{Key: cty.StringVal("address")}}, Path: cty.Path{cty.GetAttrStep{Name: "tags"}, cty.IndexStep{Key: cty.StringVal("address")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_single"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_single"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3598,45 +3599,45 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
BeforeValMarks: []cty.PathValueMarks{ BeforeValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_map"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_map"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
AfterValMarks: []cty.PathValueMarks{ AfterValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(0)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_map"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_map"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3745,35 +3746,35 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
BeforeValMarks: []cty.PathValueMarks{ BeforeValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "special"}}, Path: cty.Path{cty.GetAttrStep{Name: "special"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "some_number"}}, Path: cty.Path{cty.GetAttrStep{Name: "some_number"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(2)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(2)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3885,27 +3886,27 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
BeforeValMarks: []cty.PathValueMarks{ BeforeValMarks: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "ami"}}, Path: cty.Path{cty.GetAttrStep{Name: "ami"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(1)}}, Path: cty.Path{cty.GetAttrStep{Name: "list_field"}, cty.IndexStep{Key: cty.NumberIntVal(1)}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}}, Path: cty.Path{cty.GetAttrStep{Name: "map_key"}, cty.IndexStep{Key: cty.StringVal("dinner")}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}}, Path: cty.Path{cty.GetAttrStep{Name: "map_whole"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}}, Path: cty.Path{cty.GetAttrStep{Name: "nested_block_set"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
RequiredReplace: cty.NewPathSet(), RequiredReplace: cty.NewPathSet(),
@ -3974,21 +3975,21 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
BeforeValMarks: []cty.PathValueMarks{ BeforeValMarks: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("ami"), Path: cty.GetAttrPath("ami"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.GetAttrPath("nested_block_set"), Path: cty.GetAttrPath("nested_block_set"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
AfterValMarks: []cty.PathValueMarks{ AfterValMarks: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("ami"), Path: cty.GetAttrPath("ami"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
{ {
Path: cty.GetAttrPath("nested_block_set"), Path: cty.GetAttrPath("nested_block_set"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
Schema: &configschema.Block{ Schema: &configschema.Block{

View File

@ -9,6 +9,7 @@ import (
ctyjson "github.com/zclconf/go-cty/cty/json" ctyjson "github.com/zclconf/go-cty/cty/json"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/states/statefile" "github.com/hashicorp/terraform/internal/states/statefile"
"github.com/hashicorp/terraform/internal/terraform" "github.com/hashicorp/terraform/internal/terraform"
@ -404,7 +405,7 @@ func marshalResources(resources map[string]*states.Resource, module addrs.Module
} }
func SensitiveAsBool(val cty.Value) cty.Value { func SensitiveAsBool(val cty.Value) cty.Value {
if val.HasMark("sensitive") { if val.HasMark(marks.Sensitive) {
return cty.True return cty.True
} }

View File

@ -8,6 +8,7 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/terraform" "github.com/hashicorp/terraform/internal/terraform"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
@ -122,7 +123,7 @@ func TestMarshalAttributeValues(t *testing.T) {
}), }),
"baz": cty.ListVal([]cty.Value{ "baz": cty.ListVal([]cty.Value{
cty.StringVal("goodnight"), cty.StringVal("goodnight"),
cty.StringVal("moon").Mark("sensitive"), cty.StringVal("moon").Mark(marks.Sensitive),
}), }),
}), }),
attributeValues{ attributeValues{
@ -660,7 +661,6 @@ func testSchemas() *terraform.Schemas {
} }
func TestSensitiveAsBool(t *testing.T) { func TestSensitiveAsBool(t *testing.T) {
sensitive := "sensitive"
tests := []struct { tests := []struct {
Input cty.Value Input cty.Value
Want cty.Value Want cty.Value
@ -674,16 +674,16 @@ func TestSensitiveAsBool(t *testing.T) {
cty.False, cty.False,
}, },
{ {
cty.StringVal("hello").Mark(sensitive), cty.StringVal("hello").Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
cty.NullVal(cty.String).Mark(sensitive), cty.NullVal(cty.String).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
cty.NullVal(cty.DynamicPseudoType).Mark(sensitive), cty.NullVal(cty.DynamicPseudoType).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -691,7 +691,7 @@ func TestSensitiveAsBool(t *testing.T) {
cty.False, cty.False,
}, },
{ {
cty.NullVal(cty.Object(map[string]cty.Type{"test": cty.String})).Mark(sensitive), cty.NullVal(cty.Object(map[string]cty.Type{"test": cty.String})).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -699,7 +699,7 @@ func TestSensitiveAsBool(t *testing.T) {
cty.False, cty.False,
}, },
{ {
cty.DynamicVal.Mark(sensitive), cty.DynamicVal.Mark(marks.Sensitive),
cty.True, cty.True,
}, },
@ -708,13 +708,13 @@ func TestSensitiveAsBool(t *testing.T) {
cty.EmptyTupleVal, cty.EmptyTupleVal,
}, },
{ {
cty.ListValEmpty(cty.String).Mark(sensitive), cty.ListValEmpty(cty.String).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
cty.ListVal([]cty.Value{ cty.ListVal([]cty.Value{
cty.StringVal("hello"), cty.StringVal("hello"),
cty.StringVal("friend").Mark(sensitive), cty.StringVal("friend").Mark(marks.Sensitive),
}), }),
cty.TupleVal([]cty.Value{ cty.TupleVal([]cty.Value{
cty.False, cty.False,
@ -726,7 +726,7 @@ func TestSensitiveAsBool(t *testing.T) {
cty.EmptyTupleVal, cty.EmptyTupleVal,
}, },
{ {
cty.SetValEmpty(cty.String).Mark(sensitive), cty.SetValEmpty(cty.String).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -734,17 +734,17 @@ func TestSensitiveAsBool(t *testing.T) {
cty.TupleVal([]cty.Value{cty.False}), cty.TupleVal([]cty.Value{cty.False}),
}, },
{ {
cty.SetVal([]cty.Value{cty.StringVal("hello").Mark(sensitive)}), cty.SetVal([]cty.Value{cty.StringVal("hello").Mark(marks.Sensitive)}),
cty.True, cty.True,
}, },
{ {
cty.EmptyTupleVal.Mark(sensitive), cty.EmptyTupleVal.Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
cty.TupleVal([]cty.Value{ cty.TupleVal([]cty.Value{
cty.StringVal("hello"), cty.StringVal("hello"),
cty.StringVal("friend").Mark(sensitive), cty.StringVal("friend").Mark(marks.Sensitive),
}), }),
cty.TupleVal([]cty.Value{ cty.TupleVal([]cty.Value{
cty.False, cty.False,
@ -756,7 +756,7 @@ func TestSensitiveAsBool(t *testing.T) {
cty.EmptyObjectVal, cty.EmptyObjectVal,
}, },
{ {
cty.MapValEmpty(cty.String).Mark(sensitive), cty.MapValEmpty(cty.String).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -769,7 +769,7 @@ func TestSensitiveAsBool(t *testing.T) {
{ {
cty.MapVal(map[string]cty.Value{ cty.MapVal(map[string]cty.Value{
"greeting": cty.StringVal("hello"), "greeting": cty.StringVal("hello"),
"animal": cty.StringVal("horse").Mark(sensitive), "animal": cty.StringVal("horse").Mark(marks.Sensitive),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"animal": cty.True, "animal": cty.True,
@ -778,8 +778,8 @@ func TestSensitiveAsBool(t *testing.T) {
{ {
cty.MapVal(map[string]cty.Value{ cty.MapVal(map[string]cty.Value{
"greeting": cty.StringVal("hello"), "greeting": cty.StringVal("hello"),
"animal": cty.StringVal("horse").Mark(sensitive), "animal": cty.StringVal("horse").Mark(marks.Sensitive),
}).Mark(sensitive), }).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -796,7 +796,7 @@ func TestSensitiveAsBool(t *testing.T) {
{ {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"greeting": cty.StringVal("hello"), "greeting": cty.StringVal("hello"),
"animal": cty.StringVal("horse").Mark(sensitive), "animal": cty.StringVal("horse").Mark(marks.Sensitive),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"animal": cty.True, "animal": cty.True,
@ -805,8 +805,8 @@ func TestSensitiveAsBool(t *testing.T) {
{ {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"greeting": cty.StringVal("hello"), "greeting": cty.StringVal("hello"),
"animal": cty.StringVal("horse").Mark(sensitive), "animal": cty.StringVal("horse").Mark(marks.Sensitive),
}).Mark(sensitive), }).Mark(marks.Sensitive),
cty.True, cty.True,
}, },
{ {
@ -815,7 +815,7 @@ func TestSensitiveAsBool(t *testing.T) {
"a": cty.UnknownVal(cty.String), "a": cty.UnknownVal(cty.String),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"a": cty.StringVal("known").Mark(sensitive), "a": cty.StringVal("known").Mark(marks.Sensitive),
}), }),
}), }),
cty.TupleVal([]cty.Value{ cty.TupleVal([]cty.Value{
@ -829,7 +829,7 @@ func TestSensitiveAsBool(t *testing.T) {
cty.ListVal([]cty.Value{ cty.ListVal([]cty.Value{
cty.MapValEmpty(cty.String), cty.MapValEmpty(cty.String),
cty.MapVal(map[string]cty.Value{ cty.MapVal(map[string]cty.Value{
"a": cty.StringVal("known").Mark(sensitive), "a": cty.StringVal("known").Mark(marks.Sensitive),
}), }),
cty.MapVal(map[string]cty.Value{ cty.MapVal(map[string]cty.Value{
"a": cty.UnknownVal(cty.String), "a": cty.UnknownVal(cty.String),

View File

@ -10,6 +10,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/command/arguments" "github.com/hashicorp/terraform/internal/command/arguments"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -156,9 +157,10 @@ func (v *addHuman) writeConfigAttributesFromExisting(buf *strings.Builder, state
} else { } else {
val = attrS.EmptyValue() val = attrS.EmptyValue()
} }
if attrS.Sensitive || val.IsMarked() { if attrS.Sensitive || val.HasMark(marks.Sensitive) {
buf.WriteString("null # sensitive") buf.WriteString("null # sensitive")
} else { } else {
val, _ = val.Unmark()
tok := hclwrite.TokensForValue(val) tok := hclwrite.TokensForValue(val)
if _, err := tok.WriteTo(buf); err != nil { if _, err := tok.WriteTo(buf); err != nil {
return err return err
@ -322,7 +324,7 @@ func (v *addHuman) writeConfigBlocksFromExisting(buf *strings.Builder, stateVal
func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Builder, name string, schema *configschema.Attribute, stateVal cty.Value, indent int) error { func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Builder, name string, schema *configschema.Attribute, stateVal cty.Value, indent int) error {
switch schema.NestedType.Nesting { switch schema.NestedType.Nesting {
case configschema.NestingSingle: case configschema.NestingSingle:
if schema.Sensitive || stateVal.IsMarked() { if schema.Sensitive || stateVal.HasMark(marks.Sensitive) {
buf.WriteString(strings.Repeat(" ", indent)) buf.WriteString(strings.Repeat(" ", indent))
buf.WriteString(fmt.Sprintf("%s = {} # sensitive\n", name)) buf.WriteString(fmt.Sprintf("%s = {} # sensitive\n", name))
return nil return nil
@ -347,7 +349,7 @@ func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Build
buf.WriteString(strings.Repeat(" ", indent)) buf.WriteString(strings.Repeat(" ", indent))
buf.WriteString(fmt.Sprintf("%s = [", name)) buf.WriteString(fmt.Sprintf("%s = [", name))
if schema.Sensitive || stateVal.IsMarked() { if schema.Sensitive || stateVal.HasMark(marks.Sensitive) {
buf.WriteString("] # sensitive\n") buf.WriteString("] # sensitive\n")
return nil return nil
} }
@ -359,7 +361,7 @@ func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Build
buf.WriteString(strings.Repeat(" ", indent+2)) buf.WriteString(strings.Repeat(" ", indent+2))
// The entire element is marked. // The entire element is marked.
if listVals[i].IsMarked() { if listVals[i].HasMark(marks.Sensitive) {
buf.WriteString("{}, # sensitive\n") buf.WriteString("{}, # sensitive\n")
continue continue
} }
@ -379,7 +381,7 @@ func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Build
buf.WriteString(strings.Repeat(" ", indent)) buf.WriteString(strings.Repeat(" ", indent))
buf.WriteString(fmt.Sprintf("%s = {", name)) buf.WriteString(fmt.Sprintf("%s = {", name))
if schema.Sensitive || stateVal.IsMarked() { if schema.Sensitive || stateVal.HasMark(marks.Sensitive) {
buf.WriteString(" } # sensitive\n") buf.WriteString(" } # sensitive\n")
return nil return nil
} }
@ -397,7 +399,7 @@ func (v *addHuman) writeConfigNestedTypeAttributeFromExisting(buf *strings.Build
buf.WriteString(fmt.Sprintf("%s = {", key)) buf.WriteString(fmt.Sprintf("%s = {", key))
// This entire value is marked // This entire value is marked
if vals[key].IsMarked() { if vals[key].HasMark(marks.Sensitive) {
buf.WriteString("} # sensitive\n") buf.WriteString("} # sensitive\n")
continue continue
} }
@ -426,7 +428,7 @@ func (v *addHuman) writeConfigNestedBlockFromExisting(buf *strings.Builder, name
buf.WriteString(fmt.Sprintf("%s {", name)) buf.WriteString(fmt.Sprintf("%s {", name))
// If the entire value is marked, don't print any nested attributes // If the entire value is marked, don't print any nested attributes
if stateVal.IsMarked() { if stateVal.HasMark(marks.Sensitive) {
buf.WriteString("} # sensitive\n") buf.WriteString("} # sensitive\n")
return nil return nil
} }
@ -440,7 +442,7 @@ func (v *addHuman) writeConfigNestedBlockFromExisting(buf *strings.Builder, name
buf.WriteString("}\n") buf.WriteString("}\n")
return nil return nil
case configschema.NestingList, configschema.NestingSet: case configschema.NestingList, configschema.NestingSet:
if stateVal.IsMarked() { if stateVal.HasMark(marks.Sensitive) {
buf.WriteString(strings.Repeat(" ", indent)) buf.WriteString(strings.Repeat(" ", indent))
buf.WriteString(fmt.Sprintf("%s {} # sensitive\n", name)) buf.WriteString(fmt.Sprintf("%s {} # sensitive\n", name))
return nil return nil
@ -460,7 +462,7 @@ func (v *addHuman) writeConfigNestedBlockFromExisting(buf *strings.Builder, name
return nil return nil
case configschema.NestingMap: case configschema.NestingMap:
// If the entire value is marked, don't print any nested attributes // If the entire value is marked, don't print any nested attributes
if stateVal.IsMarked() { if stateVal.HasMark(marks.Sensitive) {
buf.WriteString(fmt.Sprintf("%s {} # sensitive\n", name)) buf.WriteString(fmt.Sprintf("%s {} # sensitive\n", name))
return nil return nil
} }
@ -475,7 +477,7 @@ func (v *addHuman) writeConfigNestedBlockFromExisting(buf *strings.Builder, name
buf.WriteString(strings.Repeat(" ", indent)) buf.WriteString(strings.Repeat(" ", indent))
buf.WriteString(fmt.Sprintf("%s %q {", name, key)) buf.WriteString(fmt.Sprintf("%s %q {", name, key))
// This entire map element is marked // This entire map element is marked
if vals[key].IsMarked() { if vals[key].HasMark(marks.Sensitive) {
buf.WriteString("} # sensitive\n") buf.WriteString("} # sensitive\n")
return nil return nil
} }

View File

@ -7,6 +7,7 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/terminal" "github.com/hashicorp/terraform/internal/terminal"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -342,7 +343,7 @@ func TestAdd_writeConfigBlocksFromExisting(t *testing.T) {
v := addHuman{optional: true} v := addHuman{optional: true}
val := cty.ObjectVal(map[string]cty.Value{ val := cty.ObjectVal(map[string]cty.Value{
"root_block_device": cty.ObjectVal(map[string]cty.Value{ "root_block_device": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("foo").Mark("bar"), "volume_type": cty.StringVal("foo").Mark(marks.Sensitive),
}), }),
}) })
schema := addTestSchema(configschema.NestingSingle) schema := addTestSchema(configschema.NestingSingle)
@ -365,7 +366,7 @@ func TestAdd_writeConfigBlocksFromExisting(t *testing.T) {
"root_block_device": cty.ObjectVal(map[string]cty.Value{ "root_block_device": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("foo"), "volume_type": cty.StringVal("foo"),
}), }),
}).Mark("bar") }).Mark(marks.Sensitive)
schema := addTestSchema(configschema.NestingSingle) schema := addTestSchema(configschema.NestingSingle)
var buf strings.Builder var buf strings.Builder
v.writeConfigBlocksFromExisting(&buf, val, schema.BlockTypes, 0) v.writeConfigBlocksFromExisting(&buf, val, schema.BlockTypes, 0)
@ -412,7 +413,7 @@ root_block_device {
val := cty.ObjectVal(map[string]cty.Value{ val := cty.ObjectVal(map[string]cty.Value{
"root_block_device": cty.ListVal([]cty.Value{ "root_block_device": cty.ListVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("foo").Mark("sensitive"), "volume_type": cty.StringVal("foo").Mark(marks.Sensitive),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
@ -446,7 +447,7 @@ root_block_device {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
}), }),
}).Mark("mark"), }).Mark(marks.Sensitive),
}) })
schema := addTestSchema(configschema.NestingList) schema := addTestSchema(configschema.NestingList)
var buf strings.Builder var buf strings.Builder
@ -500,7 +501,7 @@ root_block_device {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
}), }),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}) })
schema := addTestSchema(configschema.NestingSet) schema := addTestSchema(configschema.NestingSet)
var buf strings.Builder var buf strings.Builder
@ -549,7 +550,7 @@ root_block_device "2" {
val := cty.ObjectVal(map[string]cty.Value{ val := cty.ObjectVal(map[string]cty.Value{
"root_block_device": cty.MapVal(map[string]cty.Value{ "root_block_device": cty.MapVal(map[string]cty.Value{
"1": cty.ObjectVal(map[string]cty.Value{ "1": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("foo").Mark("sensitive"), "volume_type": cty.StringVal("foo").Mark(marks.Sensitive),
}), }),
"2": cty.ObjectVal(map[string]cty.Value{ "2": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
@ -583,7 +584,7 @@ root_block_device "2" {
"2": cty.ObjectVal(map[string]cty.Value{ "2": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
}), }),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}) })
schema := addTestSchema(configschema.NestingMap) schema := addTestSchema(configschema.NestingMap)
var buf strings.Builder var buf strings.Builder
@ -606,7 +607,7 @@ root_block_device "2" {
}), }),
"2": cty.ObjectVal(map[string]cty.Value{ "2": cty.ObjectVal(map[string]cty.Value{
"volume_type": cty.StringVal("bar"), "volume_type": cty.StringVal("bar"),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}), }),
}) })
schema := addTestSchema(configschema.NestingMap) schema := addTestSchema(configschema.NestingMap)
@ -783,13 +784,13 @@ func TestAdd_WriteConfigNestedTypeAttributeFromExisting(t *testing.T) {
"disks": cty.ListVal([]cty.Value{ "disks": cty.ListVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"mount_point": cty.StringVal("/mnt/foo"), "mount_point": cty.StringVal("/mnt/foo"),
"size": cty.StringVal("50GB").Mark("hi"), "size": cty.StringVal("50GB").Mark(marks.Sensitive),
}), }),
// This is an odd example, where the entire element is marked. // This is an odd example, where the entire element is marked.
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"mount_point": cty.StringVal("/mnt/bar"), "mount_point": cty.StringVal("/mnt/bar"),
"size": cty.StringVal("250GB"), "size": cty.StringVal("250GB"),
}).Mark("bye"), }).Mark(marks.Sensitive),
}), }),
}) })
@ -825,7 +826,7 @@ func TestAdd_WriteConfigNestedTypeAttributeFromExisting(t *testing.T) {
"size": cty.StringVal("250GB"), "size": cty.StringVal("250GB"),
}), }),
}), }),
}).Mark("sensitive") }).Mark(marks.Sensitive)
schema := addTestSchema(configschema.NestingList) schema := addTestSchema(configschema.NestingList)
var buf strings.Builder var buf strings.Builder
@ -880,12 +881,12 @@ func TestAdd_WriteConfigNestedTypeAttributeFromExisting(t *testing.T) {
"disks": cty.MapVal(map[string]cty.Value{ "disks": cty.MapVal(map[string]cty.Value{
"foo": cty.ObjectVal(map[string]cty.Value{ "foo": cty.ObjectVal(map[string]cty.Value{
"mount_point": cty.StringVal("/mnt/foo"), "mount_point": cty.StringVal("/mnt/foo"),
"size": cty.StringVal("50GB").Mark("sensitive"), "size": cty.StringVal("50GB").Mark(marks.Sensitive),
}), }),
"bar": cty.ObjectVal(map[string]cty.Value{ "bar": cty.ObjectVal(map[string]cty.Value{
"mount_point": cty.StringVal("/mnt/bar"), "mount_point": cty.StringVal("/mnt/bar"),
"size": cty.StringVal("250GB"), "size": cty.StringVal("250GB"),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}), }),
}) })
schema := addTestSchema(configschema.NestingMap) schema := addTestSchema(configschema.NestingMap)

View File

@ -6,6 +6,7 @@ import (
"testing" "testing"
"github.com/hashicorp/terraform/internal/command/arguments" "github.com/hashicorp/terraform/internal/command/arguments"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/terminal" "github.com/hashicorp/terraform/internal/terminal"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
@ -228,7 +229,7 @@ func TestApplyJSON_outputs(t *testing.T) {
v.Outputs(map[string]*states.OutputValue{ v.Outputs(map[string]*states.OutputValue{
"boop_count": {Value: cty.NumberIntVal(92)}, "boop_count": {Value: cty.NumberIntVal(92)},
"password": {Value: cty.StringVal("horse-battery").Mark("sensitive"), Sensitive: true}, "password": {Value: cty.StringVal("horse-battery").Mark(marks.Sensitive), Sensitive: true},
}) })
want := []map[string]interface{}{ want := []map[string]interface{}{

View File

@ -10,6 +10,7 @@ import (
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hcled" "github.com/hashicorp/hcl/v2/hcled"
"github.com/hashicorp/hcl/v2/hclparse" "github.com/hashicorp/hcl/v2/hclparse"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -260,7 +261,7 @@ func NewDiagnostic(diag tfdiags.Diagnostic, sources map[string][]byte) *Diagnost
Traversal: traversalStr, Traversal: traversalStr,
} }
switch { switch {
case val.IsMarked(): case val.HasMark(marks.Sensitive):
// We won't say anything at all about sensitive values, // We won't say anything at all about sensitive values,
// because we might give away something that was // because we might give away something that was
// sensitive about them. // sensitive about them.
@ -323,7 +324,7 @@ func compactValueStr(val cty.Value) string {
// helpful but concise messages in diagnostics. It is not comprehensive // helpful but concise messages in diagnostics. It is not comprehensive
// nor intended to be used for other purposes. // nor intended to be used for other purposes.
if val.IsMarked() { if val.HasMark(marks.Sensitive) {
// We check this in here just to make sure, but note that the caller // We check this in here just to make sure, but note that the caller
// of compactValueStr ought to have already checked this and skipped // of compactValueStr ought to have already checked this and skipped
// calling into compactValueStr anyway, so this shouldn't actually // calling into compactValueStr anyway, so this shouldn't actually

View File

@ -12,6 +12,7 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hcltest" "github.com/hashicorp/hcl/v2/hcltest"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -360,7 +361,7 @@ func TestNewDiagnostic(t *testing.T) {
Variables: map[string]cty.Value{ Variables: map[string]cty.Value{
"var": cty.ObjectVal(map[string]cty.Value{ "var": cty.ObjectVal(map[string]cty.Value{
"boop": cty.MapVal(map[string]cty.Value{ "boop": cty.MapVal(map[string]cty.Value{
"hello!": cty.StringVal("bleurgh").Mark("sensitive"), "hello!": cty.StringVal("bleurgh").Mark(marks.Sensitive),
}), }),
}), }),
}, },
@ -416,7 +417,7 @@ func TestNewDiagnostic(t *testing.T) {
Variables: map[string]cty.Value{ Variables: map[string]cty.Value{
"var": cty.ObjectVal(map[string]cty.Value{ "var": cty.ObjectVal(map[string]cty.Value{
"boop": cty.MapVal(map[string]cty.Value{ "boop": cty.MapVal(map[string]cty.Value{
"hello!": cty.StringVal("bleurgh").Mark("sensitive"), "hello!": cty.StringVal("bleurgh").Mark(marks.Sensitive),
}), }),
}), }),
}, },
@ -597,7 +598,7 @@ func TestNewDiagnostic(t *testing.T) {
"a": cty.True, "a": cty.True,
"b": cty.NumberFloatVal(123.45), "b": cty.NumberFloatVal(123.45),
"c": cty.NullVal(cty.String), "c": cty.NullVal(cty.String),
"d": cty.StringVal("secret").Mark("sensitive"), "d": cty.StringVal("secret").Mark(marks.Sensitive),
"e": cty.False, "e": cty.False,
"f": cty.ListValEmpty(cty.String), "f": cty.ListValEmpty(cty.String),
"g": cty.MapVal(map[string]cty.Value{ "g": cty.MapVal(map[string]cty.Value{

View File

@ -5,6 +5,7 @@ import (
"testing" "testing"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -17,7 +18,7 @@ func TestOutputsFromMap(t *testing.T) {
}, },
// Sensitive string output // Sensitive string output
"beep": { "beep": {
Value: cty.StringVal("horse-battery").Mark("sensitive"), Value: cty.StringVal("horse-battery").Mark(marks.Sensitive),
Sensitive: true, Sensitive: true,
}, },
// Sensitive object output which is marked at the leaf // Sensitive object output which is marked at the leaf
@ -25,7 +26,7 @@ func TestOutputsFromMap(t *testing.T) {
Value: cty.ObjectVal(map[string]cty.Value{ Value: cty.ObjectVal(map[string]cty.Value{
"a": cty.ObjectVal(map[string]cty.Value{ "a": cty.ObjectVal(map[string]cty.Value{
"b": cty.ObjectVal(map[string]cty.Value{ "b": cty.ObjectVal(map[string]cty.Value{
"c": cty.StringVal("oh, hi").Mark("sensitive"), "c": cty.StringVal("oh, hi").Mark(marks.Sensitive),
}), }),
}), }),
}), }),

View File

@ -5,6 +5,7 @@ import (
"testing" "testing"
"github.com/hashicorp/terraform/internal/command/arguments" "github.com/hashicorp/terraform/internal/command/arguments"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/terminal" "github.com/hashicorp/terraform/internal/terminal"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
@ -80,7 +81,7 @@ func TestRefreshJSON_outputs(t *testing.T) {
v.Outputs(map[string]*states.OutputValue{ v.Outputs(map[string]*states.OutputValue{
"boop_count": {Value: cty.NumberIntVal(92)}, "boop_count": {Value: cty.NumberIntVal(92)},
"password": {Value: cty.StringVal("horse-battery").Mark("sensitive"), Sensitive: true}, "password": {Value: cty.StringVal("horse-battery").Mark(marks.Sensitive), Sensitive: true},
}) })
want := []map[string]interface{}{ want := []map[string]interface{}{

View File

@ -3,6 +3,7 @@ package configschema
import ( import (
"fmt" "fmt"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -19,7 +20,7 @@ func (b *Block) ValueMarks(val cty.Value, path cty.Path) []cty.PathValueMarks {
attrPath = append(path, cty.GetAttrStep{Name: name}) attrPath = append(path, cty.GetAttrStep{Name: name})
pvm = append(pvm, cty.PathValueMarks{ pvm = append(pvm, cty.PathValueMarks{
Path: attrPath, Path: attrPath,
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}) })
} }
} }

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -58,7 +59,7 @@ func TestBlockValueMarks(t *testing.T) {
"list": cty.UnknownVal(schema.BlockTypes["list"].ImpliedType()), "list": cty.UnknownVal(schema.BlockTypes["list"].ImpliedType()),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive": cty.UnknownVal(cty.String).Mark("sensitive"), "sensitive": cty.UnknownVal(cty.String).Mark(marks.Sensitive),
"unsensitive": cty.UnknownVal(cty.String), "unsensitive": cty.UnknownVal(cty.String),
"list": cty.UnknownVal(schema.BlockTypes["list"].ImpliedType()), "list": cty.UnknownVal(schema.BlockTypes["list"].ImpliedType()),
}), }),
@ -79,15 +80,15 @@ func TestBlockValueMarks(t *testing.T) {
}), }),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive": cty.NullVal(cty.String).Mark("sensitive"), "sensitive": cty.NullVal(cty.String).Mark(marks.Sensitive),
"unsensitive": cty.UnknownVal(cty.String), "unsensitive": cty.UnknownVal(cty.String),
"list": cty.ListVal([]cty.Value{ "list": cty.ListVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive": cty.UnknownVal(cty.String).Mark("sensitive"), "sensitive": cty.UnknownVal(cty.String).Mark(marks.Sensitive),
"unsensitive": cty.UnknownVal(cty.String), "unsensitive": cty.UnknownVal(cty.String),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive": cty.NullVal(cty.String).Mark("sensitive"), "sensitive": cty.NullVal(cty.String).Mark(marks.Sensitive),
"unsensitive": cty.NullVal(cty.String), "unsensitive": cty.NullVal(cty.String),
}), }),
}), }),

View File

@ -6,6 +6,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
"github.com/zclconf/go-cty/cty/convert" "github.com/zclconf/go-cty/cty/convert"
"github.com/zclconf/go-cty/cty/function" "github.com/zclconf/go-cty/cty/function"
@ -62,28 +63,29 @@ func MakeToFunc(wantTy cty.Type) function.Function {
// to be known here but may still be null. // to be known here but may still be null.
ret, err := convert.Convert(args[0], retType) ret, err := convert.Convert(args[0], retType)
if err != nil { if err != nil {
val, _ := args[0].UnmarkDeep()
// Because we used GetConversionUnsafe above, conversion can // Because we used GetConversionUnsafe above, conversion can
// still potentially fail in here. For example, if the user // still potentially fail in here. For example, if the user
// asks to convert the string "a" to bool then we'll // asks to convert the string "a" to bool then we'll
// optimistically permit it during type checking but fail here // optimistically permit it during type checking but fail here
// once we note that the value isn't either "true" or "false". // once we note that the value isn't either "true" or "false".
gotTy := args[0].Type() gotTy := val.Type()
switch { switch {
case args[0].ContainsMarked(): case marks.Contains(args[0], marks.Sensitive):
// Generic message so we won't inadvertently disclose // Generic message so we won't inadvertently disclose
// information about sensitive values. // information about sensitive values.
return cty.NilVal, function.NewArgErrorf(0, "cannot convert this sensitive %s to %s", gotTy.FriendlyName(), wantTy.FriendlyNameForConstraint()) return cty.NilVal, function.NewArgErrorf(0, "cannot convert this sensitive %s to %s", gotTy.FriendlyName(), wantTy.FriendlyNameForConstraint())
case gotTy == cty.String && wantTy == cty.Bool: case gotTy == cty.String && wantTy == cty.Bool:
what := "string" what := "string"
if !args[0].IsNull() { if !val.IsNull() {
what = strconv.Quote(args[0].AsString()) what = strconv.Quote(val.AsString())
} }
return cty.NilVal, function.NewArgErrorf(0, `cannot convert %s to bool; only the strings "true" or "false" are allowed`, what) return cty.NilVal, function.NewArgErrorf(0, `cannot convert %s to bool; only the strings "true" or "false" are allowed`, what)
case gotTy == cty.String && wantTy == cty.Number: case gotTy == cty.String && wantTy == cty.Number:
what := "string" what := "string"
if !args[0].IsNull() { if !val.IsNull() {
what = strconv.Quote(args[0].AsString()) what = strconv.Quote(val.AsString())
} }
return cty.NilVal, function.NewArgErrorf(0, `cannot convert %s to number; given string must be a decimal representation of a number`, what) return cty.NilVal, function.NewArgErrorf(0, `cannot convert %s to number; given string must be a decimal representation of a number`, what)
default: default:
@ -107,7 +109,7 @@ var TypeFunc = function.New(&function.Spec{
}, },
Type: function.StaticReturnType(cty.String), Type: function.StaticReturnType(cty.String),
Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) { Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
return cty.StringVal(TypeString(args[0].Type())).Mark("raw"), nil return cty.StringVal(TypeString(args[0].Type())).Mark(marks.Raw), nil
}, },
}) })

View File

@ -5,6 +5,7 @@ import (
"testing" "testing"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -61,6 +62,12 @@ func TestTo(t *testing.T) {
cty.StringVal("a").Mark("boop"), cty.StringVal("a").Mark("boop"),
cty.Bool, cty.Bool,
cty.DynamicVal, cty.DynamicVal,
`cannot convert "a" to bool; only the strings "true" or "false" are allowed`,
},
{
cty.StringVal("a").Mark(marks.Sensitive),
cty.Bool,
cty.DynamicVal,
`cannot convert this sensitive string to bool`, `cannot convert this sensitive string to bool`,
}, },
{ {
@ -73,6 +80,12 @@ func TestTo(t *testing.T) {
cty.StringVal("a").Mark("boop"), cty.StringVal("a").Mark("boop"),
cty.Number, cty.Number,
cty.DynamicVal, cty.DynamicVal,
`cannot convert "a" to number; given string must be a decimal representation of a number`,
},
{
cty.StringVal("a").Mark(marks.Sensitive),
cty.Number,
cty.DynamicVal,
`cannot convert this sensitive string to number`, `cannot convert this sensitive string to number`,
}, },
{ {

View File

@ -1,6 +1,7 @@
package funcs package funcs
import ( import (
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
"github.com/zclconf/go-cty/cty/function" "github.com/zclconf/go-cty/cty/function"
) )
@ -25,7 +26,7 @@ var SensitiveFunc = function.New(&function.Spec{
}, },
Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) { Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
val, _ := args[0].Unmark() val, _ := args[0].Unmark()
return val.Mark("sensitive"), nil return val.Mark(marks.Sensitive), nil
}, },
}) })
@ -48,12 +49,12 @@ var NonsensitiveFunc = function.New(&function.Spec{
return args[0].Type(), nil return args[0].Type(), nil
}, },
Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) { Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
if args[0].IsKnown() && !args[0].HasMark("sensitive") { if args[0].IsKnown() && !args[0].HasMark(marks.Sensitive) {
return cty.DynamicVal, function.NewArgErrorf(0, "the given value is not sensitive, so this call is redundant") return cty.DynamicVal, function.NewArgErrorf(0, "the given value is not sensitive, so this call is redundant")
} }
v, marks := args[0].Unmark() v, m := args[0].Unmark()
delete(marks, "sensitive") // remove the sensitive marking delete(m, marks.Sensitive) // remove the sensitive marking
return v.WithMarks(marks), nil return v.WithMarks(m), nil
}, },
}) })

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -38,7 +39,7 @@ func TestSensitive(t *testing.T) {
}, },
{ {
// A value already marked is allowed and stays marked // A value already marked is allowed and stays marked
cty.NumberIntVal(1).Mark("sensitive"), cty.NumberIntVal(1).Mark(marks.Sensitive),
``, ``,
}, },
{ {
@ -52,7 +53,7 @@ func TestSensitive(t *testing.T) {
{ {
// A value deep already marked is allowed and stays marked, // A value deep already marked is allowed and stays marked,
// _and_ we'll also mark the outer collection as sensitive. // _and_ we'll also mark the outer collection as sensitive.
cty.ListVal([]cty.Value{cty.NumberIntVal(1).Mark("sensitive")}), cty.ListVal([]cty.Value{cty.NumberIntVal(1).Mark(marks.Sensitive)}),
``, ``,
}, },
} }
@ -73,7 +74,7 @@ func TestSensitive(t *testing.T) {
t.Fatalf("unexpected error: %s", err) t.Fatalf("unexpected error: %s", err)
} }
if !got.HasMark("sensitive") { if !got.HasMark(marks.Sensitive) {
t.Errorf("result is not marked sensitive") t.Errorf("result is not marked sensitive")
} }
@ -105,24 +106,24 @@ func TestNonsensitive(t *testing.T) {
WantErr string WantErr string
}{ }{
{ {
cty.NumberIntVal(1).Mark("sensitive"), cty.NumberIntVal(1).Mark(marks.Sensitive),
``, ``,
}, },
{ {
cty.DynamicVal.Mark("sensitive"), cty.DynamicVal.Mark(marks.Sensitive),
``, ``,
}, },
{ {
cty.UnknownVal(cty.String).Mark("sensitive"), cty.UnknownVal(cty.String).Mark(marks.Sensitive),
``, ``,
}, },
{ {
cty.NullVal(cty.EmptyObject).Mark("sensitive"), cty.NullVal(cty.EmptyObject).Mark(marks.Sensitive),
``, ``,
}, },
{ {
// The inner sensitive remains afterwards // The inner sensitive remains afterwards
cty.ListVal([]cty.Value{cty.NumberIntVal(1).Mark("sensitive")}).Mark("sensitive"), cty.ListVal([]cty.Value{cty.NumberIntVal(1).Mark(marks.Sensitive)}).Mark(marks.Sensitive),
``, ``,
}, },
@ -166,7 +167,7 @@ func TestNonsensitive(t *testing.T) {
t.Fatalf("unexpected error: %s", err) t.Fatalf("unexpected error: %s", err)
} }
if got.HasMark("sensitive") { if got.HasMark(marks.Sensitive) {
t.Errorf("result is still marked sensitive") t.Errorf("result is still marked sensitive")
} }
wantRaw, _ := test.Input.Unmark() wantRaw, _ := test.Input.Unmark()

View File

@ -9,6 +9,7 @@ import (
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hclsyntax" "github.com/hashicorp/hcl/v2/hclsyntax"
"github.com/hashicorp/terraform/internal/experiments" "github.com/hashicorp/terraform/internal/experiments"
"github.com/hashicorp/terraform/internal/lang/marks"
homedir "github.com/mitchellh/go-homedir" homedir "github.com/mitchellh/go-homedir"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -715,7 +716,7 @@ func TestFunctions(t *testing.T) {
"sensitive": { "sensitive": {
{ {
`sensitive(1)`, `sensitive(1)`,
cty.NumberIntVal(1).Mark("sensitive"), cty.NumberIntVal(1).Mark(marks.Sensitive),
}, },
}, },

View File

@ -0,0 +1,43 @@
package marks
import (
"strings"
"github.com/zclconf/go-cty/cty"
)
// valueMarks allow creating strictly typed values for use as cty.Value marks.
// The variable name for new values should be the title-cased format of the
// value to better match the GoString output for debugging.
type valueMark string
func (m valueMark) GoString() string {
return "marks." + strings.Title(string(m))
}
// Has returns true if and only if the cty.Value has the given mark.
func Has(val cty.Value, mark valueMark) bool {
return val.HasMark(mark)
}
// Contains returns true if the cty.Value or any any value within it contains
// the given mark.
func Contains(val cty.Value, mark valueMark) bool {
ret := false
cty.Walk(val, func(_ cty.Path, v cty.Value) (bool, error) {
if v.HasMark(mark) {
ret = true
return false, nil
}
return true, nil
})
return ret
}
// Sensitive indicates that this value is marked as sensitive in the context of
// Terraform.
var Sensitive = valueMark("sensitive")
// Raw is used to indicate to the repl that the value should be written without
// any formatting.
var Raw = valueMark("raw")

View File

@ -4,13 +4,14 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
func TestChangeEncodeSensitive(t *testing.T) { func TestChangeEncodeSensitive(t *testing.T) {
testVals := []cty.Value{ testVals := []cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"ding": cty.StringVal("dong").Mark("sensitive"), "ding": cty.StringVal("dong").Mark(marks.Sensitive),
}), }),
cty.StringVal("bleep").Mark("bloop"), cty.StringVal("bleep").Mark("bloop"),
cty.ListVal([]cty.Value{cty.UnknownVal(cty.String).Mark("sup?")}), cty.ListVal([]cty.Value{cty.UnknownVal(cty.String).Mark("sup?")}),

View File

@ -8,6 +8,7 @@ import (
"github.com/zclconf/go-cty/cty/convert" "github.com/zclconf/go-cty/cty/convert"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
) )
// AssertObjectCompatible checks whether the given "actual" value is a valid // AssertObjectCompatible checks whether the given "actual" value is a valid
@ -57,11 +58,11 @@ func assertObjectCompatible(schema *configschema.Block, planned, actual cty.Valu
// exposing a value through errors // exposing a value through errors
unmarkedActualV, marksA := actualV.UnmarkDeep() unmarkedActualV, marksA := actualV.UnmarkDeep()
unmarkedPlannedV, marksP := plannedV.UnmarkDeep() unmarkedPlannedV, marksP := plannedV.UnmarkDeep()
_, isMarkedActual := marksA["sensitive"] _, isSensitiveActual := marksA[marks.Sensitive]
_, isMarkedPlanned := marksP["sensitive"] _, isSensitivePlanned := marksP[marks.Sensitive]
moreErrs := assertValueCompatible(unmarkedPlannedV, unmarkedActualV, path) moreErrs := assertValueCompatible(unmarkedPlannedV, unmarkedActualV, path)
if attrS.Sensitive || isMarkedActual || isMarkedPlanned { if attrS.Sensitive || isSensitiveActual || isSensitivePlanned {
if len(moreErrs) > 0 { if len(moreErrs) > 0 {
// Use a vague placeholder message instead, to avoid disclosing // Use a vague placeholder message instead, to avoid disclosing
// sensitive information. // sensitive information.

View File

@ -8,6 +8,7 @@ import (
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
) )
@ -155,7 +156,7 @@ func TestAssertObjectCompatible(t *testing.T) {
}, },
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"id": cty.UnknownVal(cty.String), "id": cty.UnknownVal(cty.String),
"name": cty.StringVal("wotsit").Mark("sensitive"), "name": cty.StringVal("wotsit").Mark(marks.Sensitive),
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"id": cty.UnknownVal(cty.String), "id": cty.UnknownVal(cty.String),
@ -184,7 +185,7 @@ func TestAssertObjectCompatible(t *testing.T) {
}), }),
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"id": cty.UnknownVal(cty.String), "id": cty.UnknownVal(cty.String),
"name": cty.StringVal("thingy").Mark("sensitive"), "name": cty.StringVal("thingy").Mark(marks.Sensitive),
}), }),
[]string{ []string{
`.name: inconsistent values for sensitive attribute`, `.name: inconsistent values for sensitive attribute`,
@ -216,7 +217,7 @@ func TestAssertObjectCompatible(t *testing.T) {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"foo": cty.StringVal("secret"), "foo": cty.StringVal("secret"),
}), }),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}), }),
}), }),
}), }),
@ -227,7 +228,7 @@ func TestAssertObjectCompatible(t *testing.T) {
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"foo": cty.StringVal("secret"), "foo": cty.StringVal("secret"),
}), }),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}), }),
}), }),
}), }),

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -89,16 +90,16 @@ func TestLongestCommonSubsequence(t *testing.T) {
}, },
{ {
[]cty.Value{ []cty.Value{
cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark("sensitive")}), cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark(marks.Sensitive)}),
cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}), cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}),
}, },
[]cty.Value{ []cty.Value{
cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark("sensitive")}), cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark(marks.Sensitive)}),
cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}), cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}),
cty.MapVal(map[string]cty.Value{"c": cty.StringVal("z")}), cty.MapVal(map[string]cty.Value{"c": cty.StringVal("z")}),
}, },
[]cty.Value{ []cty.Value{
cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark("sensitive")}), cty.MapVal(map[string]cty.Value{"a": cty.StringVal("x").Mark(marks.Sensitive)}),
cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}), cty.MapVal(map[string]cty.Value{"b": cty.StringVal("y")}),
}, },
}, },

View File

@ -8,6 +8,7 @@ import (
"google.golang.org/protobuf/proto" "google.golang.org/protobuf/proto"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/plans/internal/planproto" "github.com/hashicorp/terraform/internal/plans/internal/planproto"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
@ -315,7 +316,7 @@ func changeFromTfplan(rawChange *planproto.Change) (*plans.ChangeSrc, error) {
} }
} }
sensitive := cty.NewValueMarks("sensitive") sensitive := cty.NewValueMarks(marks.Sensitive)
beforeValMarks, err := pathValueMarksFromTfplan(rawChange.BeforeSensitivePaths, sensitive) beforeValMarks, err := pathValueMarksFromTfplan(rawChange.BeforeSensitivePaths, sensitive)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to decode before sensitive paths: %s", err) return nil, fmt.Errorf("failed to decode before sensitive paths: %s", err)

View File

@ -8,6 +8,7 @@ import (
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
) )
@ -78,7 +79,7 @@ func TestTFPlanRoundTrip(t *testing.T) {
AfterValMarks: []cty.PathValueMarks{ AfterValMarks: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("boop").IndexInt(1), Path: cty.GetAttrPath("boop").IndexInt(1),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
}, },

View File

@ -5,6 +5,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -16,11 +17,11 @@ func FormatValue(v cty.Value, indent int) string {
if !v.IsKnown() { if !v.IsKnown() {
return "(known after apply)" return "(known after apply)"
} }
if v.Type().Equals(cty.String) && v.HasMark("raw") { if v.Type().Equals(cty.String) && v.HasMark(marks.Raw) {
raw, _ := v.Unmark() raw, _ := v.Unmark()
return raw.AsString() return raw.AsString()
} }
if v.HasMark("sensitive") { if v.HasMark(marks.Sensitive) {
return "(sensitive)" return "(sensitive)"
} }
if v.IsNull() { if v.IsNull() {

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -170,7 +171,7 @@ EOT_`,
`toset([])`, `toset([])`,
}, },
{ {
cty.StringVal("sensitive value").Mark("sensitive"), cty.StringVal("sensitive value").Mark(marks.Sensitive),
"(sensitive)", "(sensitive)",
}, },
} }

View File

@ -8,6 +8,7 @@ import (
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/lang/marks"
) )
func TestState(t *testing.T) { func TestState(t *testing.T) {
@ -262,7 +263,7 @@ func TestStateDeepCopy(t *testing.T) {
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{ {
Path: cty.Path{cty.GetAttrStep{Name: "woozles"}}, Path: cty.Path{cty.GetAttrStep{Name: "woozles"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
Private: []byte("private data"), Private: []byte("private data"),

View File

@ -11,6 +11,7 @@ import (
ctyjson "github.com/zclconf/go-cty/cty/json" ctyjson "github.com/zclconf/go-cty/cty/json"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
) )
@ -164,7 +165,7 @@ func prepareStateV4(sV4 *stateV4) (*File, tfdiags.Diagnostics) {
for _, path := range paths { for _, path := range paths {
pvm = append(pvm, cty.PathValueMarks{ pvm = append(pvm, cty.PathValueMarks{
Path: path, Path: path,
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}) })
} }
obj.AttrSensitivePaths = pvm obj.AttrSensitivePaths = pvm

View File

@ -9,6 +9,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
@ -420,7 +421,7 @@ resource "test_resource" "b" {
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("sensitive_attr"), Path: cty.GetAttrPath("sensitive_attr"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
Status: states.ObjectReady, Status: states.ObjectReady,

View File

@ -22,6 +22,7 @@ import (
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/configs/hcl2shim" "github.com/hashicorp/terraform/internal/configs/hcl2shim"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/provisioners" "github.com/hashicorp/terraform/internal/provisioners"
@ -11949,7 +11950,7 @@ resource "test_resource" "foo" {
if gotPath, wantPath := pvm.Path, cty.GetAttrPath("value"); !gotPath.Equals(wantPath) { if gotPath, wantPath := pvm.Path, cty.GetAttrPath("value"); !gotPath.Equals(wantPath) {
t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath) t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath)
} }
if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) { if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks(marks.Sensitive); !gotMarks.Equal(wantMarks) {
t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks) t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks)
} }
} }
@ -12013,7 +12014,7 @@ resource "test_resource" "baz" {
if gotPath, wantPath := pvm.Path, cty.GetAttrPath("value"); !gotPath.Equals(wantPath) { if gotPath, wantPath := pvm.Path, cty.GetAttrPath("value"); !gotPath.Equals(wantPath) {
t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath) t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath)
} }
if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) { if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks(marks.Sensitive); !gotMarks.Equal(wantMarks) {
t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks) t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks)
} }
} }
@ -12098,7 +12099,7 @@ resource "test_resource" "foo" {
got := fooState.Current.AttrSensitivePaths[0] got := fooState.Current.AttrSensitivePaths[0]
want := cty.PathValueMarks{ want := cty.PathValueMarks{
Path: cty.GetAttrPath("value"), Path: cty.GetAttrPath("value"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
} }
if !got.Equal(want) { if !got.Equal(want) {
@ -12399,7 +12400,7 @@ func TestContext2Apply_dataSensitive(t *testing.T) {
if gotPath, wantPath := pvm.Path, cty.GetAttrPath("foo"); !gotPath.Equals(wantPath) { if gotPath, wantPath := pvm.Path, cty.GetAttrPath("foo"); !gotPath.Equals(wantPath) {
t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath) t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath)
} }
if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) { if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks(marks.Sensitive); !gotMarks.Equal(wantMarks) {
t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks) t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks)
} }
} }

View File

@ -9,6 +9,7 @@ import (
"github.com/davecgh/go-spew/spew" "github.com/davecgh/go-spew/spew"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
@ -175,7 +176,7 @@ data "test_data_source" "foo" {
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("foo"), Path: cty.GetAttrPath("foo"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
}, },
@ -1092,7 +1093,7 @@ data "test_data_source" "foo" {
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("foo"), Path: cty.GetAttrPath("foo"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
}, },
@ -1106,7 +1107,7 @@ data "test_data_source" "foo" {
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{ {
Path: cty.GetAttrPath("sensitive"), Path: cty.GetAttrPath("sensitive"),
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
}, },

View File

@ -18,6 +18,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/configs/hcl2shim" "github.com/hashicorp/terraform/internal/configs/hcl2shim"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/provisioners" "github.com/hashicorp/terraform/internal/provisioners"
@ -4793,7 +4794,7 @@ func TestContext2Plan_ignoreChangesSensitive(t *testing.T) {
checkVals(t, objectVal(t, schema, map[string]cty.Value{ checkVals(t, objectVal(t, schema, map[string]cty.Value{
"id": cty.StringVal("bar"), "id": cty.StringVal("bar"),
"ami": cty.StringVal("ami-abcd1234").Mark("sensitive"), "ami": cty.StringVal("ami-abcd1234").Mark(marks.Sensitive),
"type": cty.StringVal("aws_instance"), "type": cty.StringVal("aws_instance"),
}), ric.After) }), ric.After)
} }
@ -5627,7 +5628,7 @@ func TestContext2Plan_variableSensitivity(t *testing.T) {
switch i := ric.Addr.String(); i { switch i := ric.Addr.String(); i {
case "aws_instance.foo": case "aws_instance.foo":
checkVals(t, objectVal(t, schema, map[string]cty.Value{ checkVals(t, objectVal(t, schema, map[string]cty.Value{
"foo": cty.StringVal("foo").Mark("sensitive"), "foo": cty.StringVal("foo").Mark(marks.Sensitive),
}), ric.After) }), ric.After)
if len(res.ChangeSrc.BeforeValMarks) != 0 { if len(res.ChangeSrc.BeforeValMarks) != 0 {
t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks) t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks)
@ -5640,7 +5641,7 @@ func TestContext2Plan_variableSensitivity(t *testing.T) {
if got, want := pvm.Path, cty.GetAttrPath("foo"); !got.Equals(want) { if got, want := pvm.Path, cty.GetAttrPath("foo"); !got.Equals(want) {
t.Errorf("unexpected path for mark\n got: %#v\nwant: %#v", got, want) t.Errorf("unexpected path for mark\n got: %#v\nwant: %#v", got, want)
} }
if got, want := pvm.Marks, cty.NewValueMarks("sensitive"); !got.Equal(want) { if got, want := pvm.Marks, cty.NewValueMarks(marks.Sensitive); !got.Equal(want) {
t.Errorf("unexpected value for mark\n got: %#v\nwant: %#v", got, want) t.Errorf("unexpected value for mark\n got: %#v\nwant: %#v", got, want)
} }
default: default:
@ -5694,8 +5695,8 @@ func TestContext2Plan_variableSensitivityModule(t *testing.T) {
switch i := ric.Addr.String(); i { switch i := ric.Addr.String(); i {
case "module.child.aws_instance.foo": case "module.child.aws_instance.foo":
checkVals(t, objectVal(t, schema, map[string]cty.Value{ checkVals(t, objectVal(t, schema, map[string]cty.Value{
"foo": cty.StringVal("foo").Mark("sensitive"), "foo": cty.StringVal("foo").Mark(marks.Sensitive),
"value": cty.StringVal("boop").Mark("sensitive"), "value": cty.StringVal("boop").Mark(marks.Sensitive),
}), ric.After) }), ric.After)
if len(res.ChangeSrc.BeforeValMarks) != 0 { if len(res.ChangeSrc.BeforeValMarks) != 0 {
t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks) t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks)
@ -5708,7 +5709,7 @@ func TestContext2Plan_variableSensitivityModule(t *testing.T) {
contains := func(pvmSlice []cty.PathValueMarks, stepName string) bool { contains := func(pvmSlice []cty.PathValueMarks, stepName string) bool {
for _, pvm := range pvmSlice { for _, pvm := range pvmSlice {
if pvm.Path.Equals(cty.GetAttrPath(stepName)) { if pvm.Path.Equals(cty.GetAttrPath(stepName)) {
if pvm.Marks.Equal(cty.NewValueMarks("sensitive")) { if pvm.Marks.Equal(cty.NewValueMarks(marks.Sensitive)) {
return true return true
} }
} }
@ -6753,8 +6754,8 @@ resource "test_resource" "foo" {
Status: states.ObjectReady, Status: states.ObjectReady,
AttrsJSON: []byte(`{"id":"foo", "value":"hello", "sensitive_value":"hello"}`), AttrsJSON: []byte(`{"id":"foo", "value":"hello", "sensitive_value":"hello"}`),
AttrSensitivePaths: []cty.PathValueMarks{ AttrSensitivePaths: []cty.PathValueMarks{
{Path: cty.Path{cty.GetAttrStep{Name: "value"}}, Marks: cty.NewValueMarks("sensitive")}, {Path: cty.Path{cty.GetAttrStep{Name: "value"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
{Path: cty.Path{cty.GetAttrStep{Name: "sensitive_value"}}, Marks: cty.NewValueMarks("sensitive")}, {Path: cty.Path{cty.GetAttrStep{Name: "sensitive_value"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
}, },
addrs.AbsProviderConfig{ addrs.AbsProviderConfig{

View File

@ -7,6 +7,7 @@ import (
"github.com/davecgh/go-spew/spew" "github.com/davecgh/go-spew/spew"
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hcltest" "github.com/hashicorp/hcl/v2/hcltest"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -20,7 +21,7 @@ func TestEvaluateCountExpression(t *testing.T) {
0, 0,
}, },
"expression with marked value": { "expression with marked value": {
hcltest.MockExprLiteral(cty.NumberIntVal(8).Mark("sensitive")), hcltest.MockExprLiteral(cty.NumberIntVal(8).Mark(marks.Sensitive)),
8, 8,
}, },
} }

View File

@ -5,6 +5,7 @@ import (
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/terraform/internal/lang" "github.com/hashicorp/terraform/internal/lang"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -61,7 +62,7 @@ func evaluateForEachExpressionValue(expr hcl.Expression, ctx EvalContext, allowU
// If a whole map is marked, or a set contains marked values (which means the set is then marked) // If a whole map is marked, or a set contains marked values (which means the set is then marked)
// give an error diagnostic as this value cannot be used in for_each // give an error diagnostic as this value cannot be used in for_each
if forEachVal.IsMarked() { if forEachVal.HasMark(marks.Sensitive) {
diags = diags.Append(&hcl.Diagnostic{ diags = diags.Append(&hcl.Diagnostic{
Severity: hcl.DiagError, Severity: hcl.DiagError,
Summary: "Invalid for_each argument", Summary: "Invalid for_each argument",

View File

@ -8,6 +8,7 @@ import (
"github.com/davecgh/go-spew/spew" "github.com/davecgh/go-spew/spew"
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hcltest" "github.com/hashicorp/hcl/v2/hcltest"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -54,11 +55,11 @@ func TestEvaluateForEachExpression_valid(t *testing.T) {
}, },
"map containing sensitive values, but strings are literal": { "map containing sensitive values, but strings are literal": {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{ hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.BoolVal(true).Mark("sensitive"), "a": cty.BoolVal(true).Mark(marks.Sensitive),
"b": cty.BoolVal(false), "b": cty.BoolVal(false),
})), })),
map[string]cty.Value{ map[string]cty.Value{
"a": cty.BoolVal(true).Mark("sensitive"), "a": cty.BoolVal(true).Mark(marks.Sensitive),
"b": cty.BoolVal(false), "b": cty.BoolVal(false),
}, },
}, },
@ -124,7 +125,7 @@ func TestEvaluateForEachExpression_errors(t *testing.T) {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{ hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.BoolVal(true), "a": cty.BoolVal(true),
"b": cty.BoolVal(false), "b": cty.BoolVal(false),
}).Mark("sensitive")), }).Mark(marks.Sensitive)),
"Invalid for_each argument", "Invalid for_each argument",
"Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.", "Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.",
}, },
@ -149,7 +150,7 @@ func TestEvaluateForEachExpression_errors(t *testing.T) {
"depends on resource attributes that cannot be determined until apply", "depends on resource attributes that cannot be determined until apply",
}, },
"set containing marked values": { "set containing marked values": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.StringVal("beep").Mark("sensitive"), cty.StringVal("boop")})), hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.StringVal("beep").Mark(marks.Sensitive), cty.StringVal("boop")})),
"Invalid for_each argument", "Invalid for_each argument",
"Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.", "Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.",
}, },

View File

@ -17,6 +17,7 @@ import (
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/instances" "github.com/hashicorp/terraform/internal/instances"
"github.com/hashicorp/terraform/internal/lang" "github.com/hashicorp/terraform/internal/lang"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
@ -261,7 +262,7 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
if d.Operation == walkValidate { if d.Operation == walkValidate {
// Ensure variable sensitivity is captured in the validate walk // Ensure variable sensitivity is captured in the validate walk
if config.Sensitive { if config.Sensitive {
return cty.UnknownVal(wantType).Mark("sensitive"), diags return cty.UnknownVal(wantType).Mark(marks.Sensitive), diags
} }
return cty.UnknownVal(wantType), diags return cty.UnknownVal(wantType), diags
} }
@ -296,9 +297,9 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
val = cty.UnknownVal(wantType) val = cty.UnknownVal(wantType)
} }
// Mark if sensitive, and avoid double-marking if this has already been marked // Mark if sensitive
if config.Sensitive && !val.HasMark("sensitive") { if config.Sensitive {
val = val.Mark("sensitive") val = val.Mark(marks.Sensitive)
} }
return val, diags return val, diags
@ -432,8 +433,8 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
instance[cfg.Name] = outputState instance[cfg.Name] = outputState
if cfg.Sensitive && !outputState.HasMark("sensitive") { if cfg.Sensitive {
instance[cfg.Name] = outputState.Mark("sensitive") instance[cfg.Name] = outputState.Mark(marks.Sensitive)
} }
} }
@ -461,8 +462,8 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
instance[cfg.Name] = change.After instance[cfg.Name] = change.After
if change.Sensitive && !change.After.HasMark("sensitive") { if change.Sensitive {
instance[cfg.Name] = change.After.Mark("sensitive") instance[cfg.Name] = change.After.Mark(marks.Sensitive)
} }
} }
} }

View File

@ -10,6 +10,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
@ -110,7 +111,7 @@ func TestEvaluatorGetInputVariable(t *testing.T) {
VariableValues: map[string]map[string]cty.Value{ VariableValues: map[string]map[string]cty.Value{
"": { "": {
"some_var": cty.StringVal("bar"), "some_var": cty.StringVal("bar"),
"some_other_var": cty.StringVal("boop").Mark("sensitive"), "some_other_var": cty.StringVal("boop").Mark(marks.Sensitive),
}, },
}, },
VariableValuesLock: &sync.Mutex{}, VariableValuesLock: &sync.Mutex{},
@ -121,7 +122,7 @@ func TestEvaluatorGetInputVariable(t *testing.T) {
} }
scope := evaluator.Scope(data, nil) scope := evaluator.Scope(data, nil)
want := cty.StringVal("bar").Mark("sensitive") want := cty.StringVal("bar").Mark(marks.Sensitive)
got, diags := scope.Data.GetInputVariable(addrs.InputVariable{ got, diags := scope.Data.GetInputVariable(addrs.InputVariable{
Name: "some_var", Name: "some_var",
}, tfdiags.SourceRange{}) }, tfdiags.SourceRange{})
@ -133,7 +134,7 @@ func TestEvaluatorGetInputVariable(t *testing.T) {
t.Errorf("wrong result %#v; want %#v", got, want) t.Errorf("wrong result %#v; want %#v", got, want)
} }
want = cty.StringVal("boop").Mark("sensitive") want = cty.StringVal("boop").Mark(marks.Sensitive)
got, diags = scope.Data.GetInputVariable(addrs.InputVariable{ got, diags = scope.Data.GetInputVariable(addrs.InputVariable{
Name: "some_other_var", Name: "some_other_var",
}, tfdiags.SourceRange{}) }, tfdiags.SourceRange{})
@ -276,30 +277,30 @@ func TestEvaluatorGetResource(t *testing.T) {
"id": cty.StringVal("foo"), "id": cty.StringVal("foo"),
"nesting_list": cty.ListVal([]cty.Value{ "nesting_list": cty.ListVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive_value": cty.StringVal("abc").Mark("sensitive"), "sensitive_value": cty.StringVal("abc").Mark(marks.Sensitive),
"value": cty.NullVal(cty.String), "value": cty.NullVal(cty.String),
}), }),
}), }),
"nesting_map": cty.MapVal(map[string]cty.Value{ "nesting_map": cty.MapVal(map[string]cty.Value{
"foo": cty.ObjectVal(map[string]cty.Value{"foo": cty.StringVal("x").Mark("sensitive")}), "foo": cty.ObjectVal(map[string]cty.Value{"foo": cty.StringVal("x").Mark(marks.Sensitive)}),
}), }),
"nesting_nesting": cty.ObjectVal(map[string]cty.Value{ "nesting_nesting": cty.ObjectVal(map[string]cty.Value{
"nesting_list": cty.ListVal([]cty.Value{ "nesting_list": cty.ListVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"sensitive_value": cty.StringVal("abc").Mark("sensitive"), "sensitive_value": cty.StringVal("abc").Mark(marks.Sensitive),
"value": cty.NullVal(cty.String), "value": cty.NullVal(cty.String),
}), }),
}), }),
}), }),
"nesting_set": cty.SetVal([]cty.Value{ "nesting_set": cty.SetVal([]cty.Value{
cty.ObjectVal(map[string]cty.Value{ cty.ObjectVal(map[string]cty.Value{
"baz": cty.StringVal("abc").Mark("sensitive"), "baz": cty.StringVal("abc").Mark(marks.Sensitive),
}), }),
}), }),
"nesting_single": cty.ObjectVal(map[string]cty.Value{ "nesting_single": cty.ObjectVal(map[string]cty.Value{
"boop": cty.StringVal("abc").Mark("sensitive"), "boop": cty.StringVal("abc").Mark(marks.Sensitive),
}), }),
"value": cty.StringVal("hello").Mark("sensitive"), "value": cty.StringVal("hello").Mark(marks.Sensitive),
}) })
addr := addrs.Resource{ addr := addrs.Resource{
@ -354,7 +355,7 @@ func TestEvaluatorGetResource_changes(t *testing.T) {
// Provide an After value that contains a marked value // Provide an After value that contains a marked value
After: cty.ObjectVal(map[string]cty.Value{ After: cty.ObjectVal(map[string]cty.Value{
"id": cty.StringVal("foo"), "id": cty.StringVal("foo"),
"to_mark_val": cty.StringVal("pizza").Mark("sensitive"), "to_mark_val": cty.StringVal("pizza").Mark(marks.Sensitive),
"sensitive_value": cty.StringVal("abc"), "sensitive_value": cty.StringVal("abc"),
"sensitive_collection": cty.MapVal(map[string]cty.Value{ "sensitive_collection": cty.MapVal(map[string]cty.Value{
"boop": cty.StringVal("beep"), "boop": cty.StringVal("beep"),
@ -439,11 +440,11 @@ func TestEvaluatorGetResource_changes(t *testing.T) {
want := cty.ObjectVal(map[string]cty.Value{ want := cty.ObjectVal(map[string]cty.Value{
"id": cty.StringVal("foo"), "id": cty.StringVal("foo"),
"to_mark_val": cty.StringVal("pizza").Mark("sensitive"), "to_mark_val": cty.StringVal("pizza").Mark(marks.Sensitive),
"sensitive_value": cty.StringVal("abc").Mark("sensitive"), "sensitive_value": cty.StringVal("abc").Mark(marks.Sensitive),
"sensitive_collection": cty.MapVal(map[string]cty.Value{ "sensitive_collection": cty.MapVal(map[string]cty.Value{
"boop": cty.StringVal("beep"), "boop": cty.StringVal("beep"),
}).Mark("sensitive"), }).Mark(marks.Sensitive),
}) })
got, diags := scope.Data.GetResource(addr, tfdiags.SourceRange{}) got, diags := scope.Data.GetResource(addr, tfdiags.SourceRange{})
@ -471,7 +472,7 @@ func TestEvaluatorGetModule(t *testing.T) {
Evaluator: evaluator, Evaluator: evaluator,
} }
scope := evaluator.Scope(data, nil) scope := evaluator.Scope(data, nil)
want := cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("bar").Mark("sensitive")}) want := cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("bar").Mark(marks.Sensitive)})
got, diags := scope.Data.GetModule(addrs.ModuleCall{ got, diags := scope.Data.GetModule(addrs.ModuleCall{
Name: "mod", Name: "mod",
}, tfdiags.SourceRange{}) }, tfdiags.SourceRange{})
@ -499,7 +500,7 @@ func TestEvaluatorGetModule(t *testing.T) {
Evaluator: evaluator, Evaluator: evaluator,
} }
scope = evaluator.Scope(data, nil) scope = evaluator.Scope(data, nil)
want = cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("baz").Mark("sensitive")}) want = cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("baz").Mark(marks.Sensitive)})
got, diags = scope.Data.GetModule(addrs.ModuleCall{ got, diags = scope.Data.GetModule(addrs.ModuleCall{
Name: "mod", Name: "mod",
}, tfdiags.SourceRange{}) }, tfdiags.SourceRange{})
@ -517,7 +518,7 @@ func TestEvaluatorGetModule(t *testing.T) {
Evaluator: evaluator, Evaluator: evaluator,
} }
scope = evaluator.Scope(data, nil) scope = evaluator.Scope(data, nil)
want = cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("baz").Mark("sensitive")}) want = cty.ObjectVal(map[string]cty.Value{"out": cty.StringVal("baz").Mark(marks.Sensitive)})
got, diags = scope.Data.GetModule(addrs.ModuleCall{ got, diags = scope.Data.GetModule(addrs.ModuleCall{
Name: "mod", Name: "mod",
}, tfdiags.SourceRange{}) }, tfdiags.SourceRange{})

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"testing" "testing"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -14,32 +15,32 @@ func TestMarksEqual(t *testing.T) {
}{ }{
{ {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
true, true,
}, },
{ {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "A"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "A"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
false, false,
}, },
{ {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "c"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "c"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "c"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "c"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
true, true,
}, },
@ -47,31 +48,31 @@ func TestMarksEqual(t *testing.T) {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{ cty.PathValueMarks{
Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "b"}}, Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "b"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
cty.PathValueMarks{ cty.PathValueMarks{
Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "c"}}, Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "c"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{ cty.PathValueMarks{
Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "c"}}, Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "c"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
cty.PathValueMarks{ cty.PathValueMarks{
Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "b"}}, Path: cty.Path{cty.GetAttrStep{Name: "a"}, cty.GetAttrStep{Name: "b"}},
Marks: cty.NewValueMarks("sensitive"), Marks: cty.NewValueMarks(marks.Sensitive),
}, },
}, },
true, true,
}, },
{ {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "b"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
false, false,
}, },
@ -82,7 +83,7 @@ func TestMarksEqual(t *testing.T) {
}, },
{ {
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
nil, nil,
false, false,
@ -90,7 +91,7 @@ func TestMarksEqual(t *testing.T) {
{ {
nil, nil,
[]cty.PathValueMarks{ []cty.PathValueMarks{
cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks("sensitive")}, cty.PathValueMarks{Path: cty.Path{cty.GetAttrStep{Name: "a"}}, Marks: cty.NewValueMarks(marks.Sensitive)},
}, },
false, false,
}, },

View File

@ -9,6 +9,7 @@ import (
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/dag" "github.com/hashicorp/terraform/internal/dag"
"github.com/hashicorp/terraform/internal/lang" "github.com/hashicorp/terraform/internal/lang"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/plans" "github.com/hashicorp/terraform/internal/plans"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
@ -281,10 +282,8 @@ func (n *NodeApplyableOutput) Execute(ctx EvalContext, op walkOperation) (diags
// statically declared as sensitive in order to dynamically return // statically declared as sensitive in order to dynamically return
// a sensitive result, to help avoid accidental exposure in the state // a sensitive result, to help avoid accidental exposure in the state
// of a sensitive value that the user doesn't want to include there. // of a sensitive value that the user doesn't want to include there.
_, marks := val.UnmarkDeep()
_, hasSensitive := marks["sensitive"]
if n.Addr.Module.IsRoot() { if n.Addr.Module.IsRoot() {
if !n.Config.Sensitive && hasSensitive { if !n.Config.Sensitive && marks.Contains(val, marks.Sensitive) {
diags = diags.Append(&hcl.Diagnostic{ diags = diags.Append(&hcl.Diagnostic{
Severity: hcl.DiagError, Severity: hcl.DiagError,
Summary: "Output refers to sensitive values", Summary: "Output refers to sensitive values",

View File

@ -7,6 +7,7 @@ import (
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/states" "github.com/hashicorp/terraform/internal/states"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
) )
@ -98,7 +99,7 @@ func TestNodeApplyableOutputExecute_sensitiveValueNotOutput(t *testing.T) {
addr := addrs.OutputValue{Name: config.Name}.Absolute(addrs.RootModuleInstance) addr := addrs.OutputValue{Name: config.Name}.Absolute(addrs.RootModuleInstance)
node := &NodeApplyableOutput{Config: config, Addr: addr} node := &NodeApplyableOutput{Config: config, Addr: addr}
val := cty.MapVal(map[string]cty.Value{ val := cty.MapVal(map[string]cty.Value{
"a": cty.StringVal("b").Mark("sensitive"), "a": cty.StringVal("b").Mark(marks.Sensitive),
}) })
ctx.EvaluateExprResult = val ctx.EvaluateExprResult = val
@ -122,7 +123,7 @@ func TestNodeApplyableOutputExecute_sensitiveValueAndOutput(t *testing.T) {
addr := addrs.OutputValue{Name: config.Name}.Absolute(addrs.RootModuleInstance) addr := addrs.OutputValue{Name: config.Name}.Absolute(addrs.RootModuleInstance)
node := &NodeApplyableOutput{Config: config, Addr: addr} node := &NodeApplyableOutput{Config: config, Addr: addr}
val := cty.MapVal(map[string]cty.Value{ val := cty.MapVal(map[string]cty.Value{
"a": cty.StringVal("b").Mark("sensitive"), "a": cty.StringVal("b").Mark(marks.Sensitive),
}) })
ctx.EvaluateExprResult = val ctx.EvaluateExprResult = val

View File

@ -9,6 +9,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
"github.com/zclconf/go-cty/cty" "github.com/zclconf/go-cty/cty"
@ -150,7 +151,7 @@ func TestNodeApplyableProviderExecute_sensitive(t *testing.T) {
config := &configs.Provider{ config := &configs.Provider{
Name: "foo", Name: "foo",
Config: configs.SynthBody("", map[string]cty.Value{ Config: configs.SynthBody("", map[string]cty.Value{
"test_string": cty.StringVal("hello").Mark("sensitive"), "test_string": cty.StringVal("hello").Mark(marks.Sensitive),
}), }),
} }
provider := mockProviderWithConfigSchema(simpleTestSchema()) provider := mockProviderWithConfigSchema(simpleTestSchema())
@ -187,7 +188,7 @@ func TestNodeApplyableProviderExecute_sensitiveValidate(t *testing.T) {
config := &configs.Provider{ config := &configs.Provider{
Name: "foo", Name: "foo",
Config: configs.SynthBody("", map[string]cty.Value{ Config: configs.SynthBody("", map[string]cty.Value{
"test_string": cty.StringVal("hello").Mark("sensitive"), "test_string": cty.StringVal("hello").Mark(marks.Sensitive),
}), }),
} }
provider := mockProviderWithConfigSchema(simpleTestSchema()) provider := mockProviderWithConfigSchema(simpleTestSchema())

View File

@ -10,6 +10,7 @@ import (
"github.com/hashicorp/terraform/internal/addrs" "github.com/hashicorp/terraform/internal/addrs"
"github.com/hashicorp/terraform/internal/configs" "github.com/hashicorp/terraform/internal/configs"
"github.com/hashicorp/terraform/internal/configs/configschema" "github.com/hashicorp/terraform/internal/configs/configschema"
"github.com/hashicorp/terraform/internal/lang/marks"
"github.com/hashicorp/terraform/internal/providers" "github.com/hashicorp/terraform/internal/providers"
"github.com/hashicorp/terraform/internal/provisioners" "github.com/hashicorp/terraform/internal/provisioners"
"github.com/hashicorp/terraform/internal/tfdiags" "github.com/hashicorp/terraform/internal/tfdiags"
@ -176,7 +177,7 @@ func TestNodeValidatableResource_ValidateResource_managedResource(t *testing.T)
Name: "foo", Name: "foo",
Config: configs.SynthBody("", map[string]cty.Value{ Config: configs.SynthBody("", map[string]cty.Value{
"test_string": cty.StringVal("bar"), "test_string": cty.StringVal("bar"),
"test_number": cty.NumberIntVal(2).Mark("sensitive"), "test_number": cty.NumberIntVal(2).Mark(marks.Sensitive),
}), }),
} }
node := NodeValidatableResource{ node := NodeValidatableResource{
@ -289,7 +290,7 @@ func TestNodeValidatableResource_ValidateResource_dataSource(t *testing.T) {
Name: "foo", Name: "foo",
Config: configs.SynthBody("", map[string]cty.Value{ Config: configs.SynthBody("", map[string]cty.Value{
"test_string": cty.StringVal("bar"), "test_string": cty.StringVal("bar"),
"test_number": cty.NumberIntVal(2).Mark("sensitive"), "test_number": cty.NumberIntVal(2).Mark(marks.Sensitive),
}), }),
} }

View File

@ -1,7 +1,6 @@
package terraform package terraform
import ( import (
"fmt"
"strings" "strings"
"testing" "testing"
@ -163,5 +162,4 @@ func TestGraphNodeImportStateSubExecuteNull(t *testing.T) {
if !diags.HasErrors() { if !diags.HasErrors() {
t.Fatal("expected error for non-existent resource") t.Fatal("expected error for non-existent resource")
} }
fmt.Println(diags.ErrWithWarnings())
} }