diff --git a/terraform/context_validate_test.go b/terraform/context_validate_test.go index 6381b53cc0..33920e7968 100644 --- a/terraform/context_validate_test.go +++ b/terraform/context_validate_test.go @@ -1965,3 +1965,46 @@ resource "test_instance" "a" { } } } + +func TestContext2Validate_sensitiveProvisionerConfig(t *testing.T) { + m := testModule(t, "validate-sensitive-provisioner-config") + p := testProvider("aws") + p.GetProviderSchemaResponse = &providers.GetProviderSchemaResponse{ + ResourceTypes: map[string]providers.Schema{ + "aws_instance": { + Block: &configschema.Block{ + Attributes: map[string]*configschema.Attribute{ + "foo": {Type: cty.String, Optional: true}, + }, + }, + }, + }, + } + + pr := simpleMockProvisioner() + + c := testContext2(t, &ContextOpts{ + Config: m, + Providers: map[addrs.Provider]providers.Factory{ + addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p), + }, + Provisioners: map[string]provisioners.Factory{ + "test": testProvisionerFuncFixed(pr), + }, + }) + + pr.ValidateProvisionerConfigFn = func(r provisioners.ValidateProvisionerConfigRequest) provisioners.ValidateProvisionerConfigResponse { + if r.Config.ContainsMarked() { + t.Errorf("provisioner config contains marked values") + } + return pr.ValidateProvisionerConfigResponse + } + + diags := c.Validate() + if diags.HasErrors() { + t.Fatalf("unexpected error: %s", diags.Err()) + } + if !pr.ValidateProvisionerConfigCalled { + t.Fatal("ValidateProvisionerConfig not called") + } +} diff --git a/terraform/node_resource_validate.go b/terraform/node_resource_validate.go index c86c672979..54dbd44414 100644 --- a/terraform/node_resource_validate.go +++ b/terraform/node_resource_validate.go @@ -90,8 +90,10 @@ func (n *NodeValidatableResource) validateProvisioner(ctx EvalContext, p *config return diags.Append(fmt.Errorf("EvaluateBlock returned nil value")) } + // Use unmarked value for validate request + unmarkedConfigVal, _ := configVal.UnmarkDeep() req := provisioners.ValidateProvisionerConfigRequest{ - Config: configVal, + Config: unmarkedConfigVal, } resp := provisioner.ValidateProvisionerConfig(req) diff --git a/terraform/testdata/validate-sensitive-provisioner-config/main.tf b/terraform/testdata/validate-sensitive-provisioner-config/main.tf new file mode 100644 index 0000000000..88a37275a8 --- /dev/null +++ b/terraform/testdata/validate-sensitive-provisioner-config/main.tf @@ -0,0 +1,11 @@ +variable "secret" { + type = string + default = " password123" + sensitive = true +} + +resource "aws_instance" "foo" { + provisioner "test" { + test_string = var.secret + } +}