Merge pull request #26443 from hashicorp/pselle/sensitive-var-module-merge

Implement module merge for sensitive variable config
This commit is contained in:
Pam Selle 2020-10-01 10:40:47 -04:00 committed by GitHub
commit e0e6f4fd13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 136 additions and 0 deletions

View File

@ -42,6 +42,10 @@ func (v *Variable) merge(ov *Variable) hcl.Diagnostics {
v.Description = ov.Description v.Description = ov.Description
v.DescriptionSet = ov.DescriptionSet v.DescriptionSet = ov.DescriptionSet
} }
if ov.SensitiveSet {
v.Sensitive = ov.Sensitive
v.SensitiveSet = ov.SensitiveSet
}
if ov.Default != cty.NilVal { if ov.Default != cty.NilVal {
v.Default = ov.Default v.Default = ov.Default
} }

View File

@ -1,6 +1,7 @@
package configs package configs
import ( import (
"fmt"
"testing" "testing"
"github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2"
@ -227,6 +228,64 @@ func TestModuleOverrideDynamic(t *testing.T) {
}) })
} }
func TestModuleOverrideSensitiveVariable(t *testing.T) {
type testCase struct {
sensitive bool
sensitiveSet bool
}
cases := map[string]testCase{
"false_true": {
sensitive: true,
sensitiveSet: true,
},
"true_false": {
sensitive: false,
sensitiveSet: true,
},
"false_false_true": {
sensitive: true,
sensitiveSet: true,
},
"true_true_false": {
sensitive: false,
sensitiveSet: true,
},
"false_true_false": {
sensitive: false,
sensitiveSet: true,
},
"true_false_true": {
sensitive: true,
sensitiveSet: true,
},
}
// TODO: When variable sensitivity is no longer experimental,
// move this test folder to "valid-modules" (it currently has a warning)
// and activate the diags assertion
mod, _ := testModuleFromDir("testdata/warning-modules/override-variable")
// assertNoDiagnostics(t, diags)
if mod == nil {
t.Fatalf("module is nil")
}
got := mod.Variables
for v, want := range cases {
t.Run(fmt.Sprintf("variable %s", v), func(t *testing.T) {
if got[v].Sensitive != want.sensitive {
t.Errorf("wrong result for sensitive\ngot: %t want: %t", got[v].Sensitive, want.sensitive)
}
if got[v].SensitiveSet != want.sensitiveSet {
t.Errorf("wrong result for sensitive set\ngot: %t want: %t", got[v].Sensitive, want.sensitive)
}
})
}
}
func TestModuleOverrideResourceFQNs(t *testing.T) { func TestModuleOverrideResourceFQNs(t *testing.T) {
mod, diags := testModuleFromDir("testdata/valid-modules/override-resource-provider") mod, diags := testModuleFromDir("testdata/valid-modules/override-resource-provider")
assertNoDiagnostics(t, diags) assertNoDiagnostics(t, diags)

View File

@ -28,6 +28,7 @@ type Variable struct {
Sensitive bool Sensitive bool
DescriptionSet bool DescriptionSet bool
SensitiveSet bool
DeclRange hcl.Range DeclRange hcl.Range
} }
@ -98,6 +99,7 @@ func decodeVariableBlock(block *hcl.Block, override bool) (*Variable, hcl.Diagno
if attr, exists := content.Attributes["sensitive"]; exists { if attr, exists := content.Attributes["sensitive"]; exists {
valDiags := gohcl.DecodeExpression(attr.Expr, nil, &v.Sensitive) valDiags := gohcl.DecodeExpression(attr.Expr, nil, &v.Sensitive)
diags = append(diags, valDiags...) diags = append(diags, valDiags...)
v.SensitiveSet = true
} }
if attr, exists := content.Attributes["default"]; exists { if attr, exists := content.Attributes["default"]; exists {

View File

@ -0,0 +1,23 @@
variable "false_true" {
sensitive = true
}
variable "true_false" {
sensitive = false
}
variable "false_false_true" {
sensitive = false
}
variable "true_true_false" {
sensitive = true
}
variable "false_true_false" {
sensitive = true
}
variable "true_false_true" {
sensitive = false
}

View File

@ -0,0 +1,21 @@
variable "false_true" {
}
variable "true_false" {
}
variable "false_false_true" {
sensitive = true
}
variable "true_true_false" {
sensitive = false
}
variable "false_true_false" {
sensitive = false
}
variable "true_false_true" {
sensitive = true
}

View File

@ -0,0 +1,27 @@
terraform {
experiments = [sensitive_variables]
}
variable "false_true" {
sensitive = false
}
variable "true_false" {
sensitive = true
}
variable "false_false_true" {
sensitive = false
}
variable "true_true_false" {
sensitive = true
}
variable "false_true_false" {
sensitive = false
}
variable "true_false_true" {
sensitive = true
}