Merge pull request #27412 from hashicorp/alisdair/fix-variable-validation-sensitive-value

core: Fix sensitive value variable validation

terraform/context_plan_test.go

@@ -6725,3 +6725,23 @@ resource "test_resource" "foo" {
 		}
 	}
 }
+
+func TestContext2Plan_variableCustomValidationsSensitive(t *testing.T) {
+	m := testModule(t, "validate-variable-custom-validations-child-sensitive")
+
+	p := testProvider("test")
+	ctx := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("test"): testProviderFuncFixed(p),
+		},
+	})
+
+	_, diags := ctx.Plan()
+	if !diags.HasErrors() {
+		t.Fatal("succeeded; want errors")
+	}
+	if got, want := diags.Err().Error(), `Invalid value for variable: Value must not be "nope".`; !strings.Contains(got, want) {
+		t.Fatalf("wrong error:\ngot:  %s\nwant: message containing %q", got, want)
+	}
+}

terraform/eval_variable.go

@@ -81,6 +81,11 @@ func evalVariableValidations(addr addrs.AbsInputVariableInstance, config *config
 			continue
 		}
 
+		// Validation condition may be marked if the input variable is bound to
+		// a sensitive value. This is irrelevant to the validation process, so
+		// we discard the marks now.
+		result, _ = result.Unmark()
+
 		if result.False() {
 			if expr != nil {
 				diags = diags.Append(&hcl.Diagnostic{

terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf

@@ -0,0 +1,8 @@
+variable "test" {
+  type = string
+
+  validation {
+    condition     = var.test != "nope"
+    error_message = "Value must not be \"nope\"."
+  }
+}

terraform/testdata/validate-variable-custom-validations-child-sensitive/validate-variable-custom-validations.tf

@@ -0,0 +1,10 @@
+variable "test" {
+  sensitive = true
+  default = "nope"
+}
+
+module "child" {
+  source = "./child"
+
+  test = var.test
+}