mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-14 02:32:39 -06:00
core: Unmark provisioner config before validation
Sensitive values in provisioner configuration would cause errors in the validate phase. We need to unmark these value before serializing the config value for the provisioner plugin.
This commit is contained in:
parent
f6505870cc
commit
3f017b4413
@ -1965,3 +1965,46 @@ resource "test_instance" "a" {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestContext2Validate_sensitiveProvisionerConfig(t *testing.T) {
|
||||
m := testModule(t, "validate-sensitive-provisioner-config")
|
||||
p := testProvider("aws")
|
||||
p.GetProviderSchemaResponse = &providers.GetProviderSchemaResponse{
|
||||
ResourceTypes: map[string]providers.Schema{
|
||||
"aws_instance": {
|
||||
Block: &configschema.Block{
|
||||
Attributes: map[string]*configschema.Attribute{
|
||||
"foo": {Type: cty.String, Optional: true},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
pr := simpleMockProvisioner()
|
||||
|
||||
c := testContext2(t, &ContextOpts{
|
||||
Config: m,
|
||||
Providers: map[addrs.Provider]providers.Factory{
|
||||
addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
|
||||
},
|
||||
Provisioners: map[string]provisioners.Factory{
|
||||
"test": testProvisionerFuncFixed(pr),
|
||||
},
|
||||
})
|
||||
|
||||
pr.ValidateProvisionerConfigFn = func(r provisioners.ValidateProvisionerConfigRequest) provisioners.ValidateProvisionerConfigResponse {
|
||||
if r.Config.ContainsMarked() {
|
||||
t.Errorf("provisioner config contains marked values")
|
||||
}
|
||||
return pr.ValidateProvisionerConfigResponse
|
||||
}
|
||||
|
||||
diags := c.Validate()
|
||||
if diags.HasErrors() {
|
||||
t.Fatalf("unexpected error: %s", diags.Err())
|
||||
}
|
||||
if !pr.ValidateProvisionerConfigCalled {
|
||||
t.Fatal("ValidateProvisionerConfig not called")
|
||||
}
|
||||
}
|
||||
|
@ -90,8 +90,10 @@ func (n *NodeValidatableResource) validateProvisioner(ctx EvalContext, p *config
|
||||
return diags.Append(fmt.Errorf("EvaluateBlock returned nil value"))
|
||||
}
|
||||
|
||||
// Use unmarked value for validate request
|
||||
unmarkedConfigVal, _ := configVal.UnmarkDeep()
|
||||
req := provisioners.ValidateProvisionerConfigRequest{
|
||||
Config: configVal,
|
||||
Config: unmarkedConfigVal,
|
||||
}
|
||||
|
||||
resp := provisioner.ValidateProvisionerConfig(req)
|
||||
|
11
terraform/testdata/validate-sensitive-provisioner-config/main.tf
vendored
Normal file
11
terraform/testdata/validate-sensitive-provisioner-config/main.tf
vendored
Normal file
@ -0,0 +1,11 @@
|
||||
variable "secret" {
|
||||
type = string
|
||||
default = " password123"
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
resource "aws_instance" "foo" {
|
||||
provisioner "test" {
|
||||
test_string = var.secret
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user