opentofu/terraform/eval_for_each_test.go
Pam Selle 428d404d92
Allow for_each arguments containing sensitive values if they aren't keys (#27247)
* Add test for existing behavior, when a value contains a marked value

* Allow some marked values as for_each arguments

Rather than disallow values that have any marks
as for_each arguments, this makes the check more
nuanced to disallow cases where the whole value
is marked (a whole map, or any set). This allows
cases where a user may pass a map that has marked
values, but the keys are not sensitive
2020-12-17 11:27:12 -05:00

212 lines
6.7 KiB
Go

package terraform
import (
"reflect"
"strings"
"testing"
"github.com/davecgh/go-spew/spew"
"github.com/hashicorp/hcl/v2"
"github.com/hashicorp/hcl/v2/hcltest"
"github.com/hashicorp/terraform/tfdiags"
"github.com/zclconf/go-cty/cty"
)
func TestEvaluateForEachExpression_valid(t *testing.T) {
tests := map[string]struct {
Expr hcl.Expression
ForEachMap map[string]cty.Value
}{
"empty set": {
hcltest.MockExprLiteral(cty.SetValEmpty(cty.String)),
map[string]cty.Value{},
},
"multi-value string set": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.StringVal("a"), cty.StringVal("b")})),
map[string]cty.Value{
"a": cty.StringVal("a"),
"b": cty.StringVal("b"),
},
},
"empty map": {
hcltest.MockExprLiteral(cty.MapValEmpty(cty.Bool)),
map[string]cty.Value{},
},
"map": {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.BoolVal(true),
"b": cty.BoolVal(false),
})),
map[string]cty.Value{
"a": cty.BoolVal(true),
"b": cty.BoolVal(false),
},
},
"map containing unknown values": {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.UnknownVal(cty.Bool),
"b": cty.UnknownVal(cty.Bool),
})),
map[string]cty.Value{
"a": cty.UnknownVal(cty.Bool),
"b": cty.UnknownVal(cty.Bool),
},
},
"map containing sensitive values, but strings are literal": {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.BoolVal(true).Mark("sensitive"),
"b": cty.BoolVal(false),
})),
map[string]cty.Value{
"a": cty.BoolVal(true).Mark("sensitive"),
"b": cty.BoolVal(false),
},
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx := &MockEvalContext{}
ctx.installSimpleEval()
forEachMap, diags := evaluateForEachExpression(test.Expr, ctx)
if len(diags) != 0 {
t.Errorf("unexpected diagnostics %s", spew.Sdump(diags))
}
if !reflect.DeepEqual(forEachMap, test.ForEachMap) {
t.Errorf(
"wrong map value\ngot: %swant: %s",
spew.Sdump(forEachMap), spew.Sdump(test.ForEachMap),
)
}
})
}
}
func TestEvaluateForEachExpression_errors(t *testing.T) {
tests := map[string]struct {
Expr hcl.Expression
Summary, DetailSubstring string
}{
"null set": {
hcltest.MockExprLiteral(cty.NullVal(cty.Set(cty.String))),
"Invalid for_each argument",
`the given "for_each" argument value is null`,
},
"string": {
hcltest.MockExprLiteral(cty.StringVal("i am definitely a set")),
"Invalid for_each argument",
"must be a map, or set of strings, and you have provided a value of type string",
},
"list": {
hcltest.MockExprLiteral(cty.ListVal([]cty.Value{cty.StringVal("a"), cty.StringVal("a")})),
"Invalid for_each argument",
"must be a map, or set of strings, and you have provided a value of type list",
},
"tuple": {
hcltest.MockExprLiteral(cty.TupleVal([]cty.Value{cty.StringVal("a"), cty.StringVal("b")})),
"Invalid for_each argument",
"must be a map, or set of strings, and you have provided a value of type tuple",
},
"unknown string set": {
hcltest.MockExprLiteral(cty.UnknownVal(cty.Set(cty.String))),
"Invalid for_each argument",
"depends on resource attributes that cannot be determined until apply",
},
"unknown map": {
hcltest.MockExprLiteral(cty.UnknownVal(cty.Map(cty.Bool))),
"Invalid for_each argument",
"depends on resource attributes that cannot be determined until apply",
},
"marked map": {
hcltest.MockExprLiteral(cty.MapVal(map[string]cty.Value{
"a": cty.BoolVal(true),
"b": cty.BoolVal(false),
}).Mark("sensitive")),
"Invalid for_each argument",
"Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.",
},
"set containing booleans": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.BoolVal(true)})),
"Invalid for_each set argument",
"supports maps and sets of strings, but you have provided a set containing type bool",
},
"set containing null": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.NullVal(cty.String)})),
"Invalid for_each set argument",
"must not contain null values",
},
"set containing unknown value": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.UnknownVal(cty.String)})),
"Invalid for_each argument",
"depends on resource attributes that cannot be determined until apply",
},
"set containing dynamic unknown value": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.UnknownVal(cty.DynamicPseudoType)})),
"Invalid for_each argument",
"depends on resource attributes that cannot be determined until apply",
},
"set containing marked values": {
hcltest.MockExprLiteral(cty.SetVal([]cty.Value{cty.StringVal("beep").Mark("sensitive"), cty.StringVal("boop")})),
"Invalid for_each argument",
"Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.",
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx := &MockEvalContext{}
ctx.installSimpleEval()
_, diags := evaluateForEachExpression(test.Expr, ctx)
if len(diags) != 1 {
t.Fatalf("got %d diagnostics; want 1", diags)
}
if got, want := diags[0].Severity(), tfdiags.Error; got != want {
t.Errorf("wrong diagnostic severity %#v; want %#v", got, want)
}
if got, want := diags[0].Description().Summary, test.Summary; got != want {
t.Errorf("wrong diagnostic summary %#v; want %#v", got, want)
}
if got, want := diags[0].Description().Detail, test.DetailSubstring; !strings.Contains(got, want) {
t.Errorf("wrong diagnostic detail %#v; want %#v", got, want)
}
if fromExpr := diags[0].FromExpr(); fromExpr != nil {
if fromExpr.Expression == nil {
t.Errorf("diagnostic does not refer to an expression")
}
if fromExpr.EvalContext == nil {
t.Errorf("diagnostic does not refer to an EvalContext")
}
} else {
t.Errorf("diagnostic does not support FromExpr\ngot: %s", spew.Sdump(diags[0]))
}
})
}
}
func TestEvaluateForEachExpressionKnown(t *testing.T) {
tests := map[string]hcl.Expression{
"unknown string set": hcltest.MockExprLiteral(cty.UnknownVal(cty.Set(cty.String))),
"unknown map": hcltest.MockExprLiteral(cty.UnknownVal(cty.Map(cty.Bool))),
}
for name, expr := range tests {
t.Run(name, func(t *testing.T) {
ctx := &MockEvalContext{}
ctx.installSimpleEval()
forEachVal, diags := evaluateForEachExpressionValue(expr, ctx, true)
if len(diags) != 0 {
t.Errorf("unexpected diagnostics %s", spew.Sdump(diags))
}
if forEachVal.IsKnown() {
t.Error("got known, want unknown")
}
})
}
}