From fd52bf21e837c1afca9fb752dad1105499c5bae8 Mon Sep 17 00:00:00 2001
From: Pam Selle <204372+pselle@users.noreply.github.com>
Date: Thu, 5 Nov 2020 16:02:40 -0500
Subject: [PATCH] Mark variables as sensitive (if relevant) in validate

Ensure that variables are marked in the validate walk
so that appropriate diags will surface at validate
rather than surprising users at apply
---
 terraform/context_validate_test.go | 40 ++++++++++++++++++++++++++++++
 terraform/evaluate.go              |  4 +++
 2 files changed, 44 insertions(+)

diff --git a/terraform/context_validate_test.go b/terraform/context_validate_test.go
index f9c22d921..087de1a2e 100644
--- a/terraform/context_validate_test.go
+++ b/terraform/context_validate_test.go
@@ -1250,6 +1250,46 @@ resource "aws_instance" "foo" {
 	}
 }
 
+func TestContext2Validate_invalidSensitiveModuleOutput(t *testing.T) {
+	m := testModuleInline(t, map[string]string{
+		"child/main.tf": `
+variable "foo" {
+  default = "xyz"
+  sensitive = true
+}
+
+output "out" {
+  value = var.foo
+}`,
+		"main.tf": `
+module "child" {
+  source = "./child"
+}
+
+resource "aws_instance" "foo" {
+  foo = module.child.out
+}`,
+	})
+
+	p := testProvider("aws")
+	ctx := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
+		},
+	})
+
+	diags := ctx.Validate()
+	if !diags.HasErrors() {
+		t.Fatal("succeeded; want errors")
+	}
+	// Should get this error:
+	// Output refers to sensitive values: Expressions used in outputs can only refer to sensitive values if the sensitive attribute is true.
+	if got, want := diags.Err().Error(), "Output refers to sensitive values"; strings.Index(got, want) == -1 {
+		t.Fatalf("wrong error:\ngot:  %s\nwant: message containing %q", got, want)
+	}
+}
+
 func TestContext2Validate_legacyResourceCount(t *testing.T) {
 	m := testModuleInline(t, map[string]string{
 		"main.tf": `
diff --git a/terraform/evaluate.go b/terraform/evaluate.go
index 3fd02772d..4c87e55d5 100644
--- a/terraform/evaluate.go
+++ b/terraform/evaluate.go
@@ -260,6 +260,10 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
 	// being liberal in what it accepts because the subsequent plan walk has
 	// more information available and so can be more conservative.
 	if d.Operation == walkValidate {
+		// Ensure variable sensitivity is captured in the validate walk
+		if config.Sensitive {
+			return cty.UnknownVal(wantType).Mark("sensitive"), diags
+		}
 		return cty.UnknownVal(wantType), diags
 	}