From 196c15a45dbb55017b35829cfcd37f0c87cf9d0b Mon Sep 17 00:00:00 2001 From: Alisdair McDiarmid Date: Fri, 25 Sep 2020 10:27:53 -0400 Subject: [PATCH 1/3] go get github.com/zclconf/go-cty@36785d4dc4ac --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 440cd69cd..e9ace5f53 100644 --- a/go.mod +++ b/go.mod @@ -123,7 +123,7 @@ require ( github.com/xanzy/ssh-agent v0.2.1 github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 // indirect github.com/xlab/treeprint v0.0.0-20161029104018-1d6e34225557 - github.com/zclconf/go-cty v1.6.2-0.20200908203537-4ad5e68430d3 + github.com/zclconf/go-cty v1.6.2-0.20200923201117-36785d4dc4ac github.com/zclconf/go-cty-yaml v1.0.2 go.uber.org/atomic v1.3.2 // indirect go.uber.org/multierr v1.1.0 // indirect diff --git a/go.sum b/go.sum index d8d5e210a..16aca17fa 100644 --- a/go.sum +++ b/go.sum @@ -503,6 +503,8 @@ github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLE github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= github.com/zclconf/go-cty v1.6.2-0.20200908203537-4ad5e68430d3 h1:iGouBJrrvGf/H4L6a2n7YBCO0FDhq81FEHI4ILDphkw= github.com/zclconf/go-cty v1.6.2-0.20200908203537-4ad5e68430d3/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o= +github.com/zclconf/go-cty v1.6.2-0.20200923201117-36785d4dc4ac h1:rwzriIhzzyzWalNaKfMs3x/gQpqncr+r7sEIDnXJjsA= +github.com/zclconf/go-cty v1.6.2-0.20200923201117-36785d4dc4ac/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o= github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0= github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= From 3f6b4cc62a73d27e59ec15a057a0665f1cad884c Mon Sep 17 00:00:00 2001 From: Alisdair McDiarmid Date: Fri, 25 Sep 2020 10:42:54 -0400 Subject: [PATCH 2/3] go get github.com/hashicorp/hcl/v2@a0de289809fb --- go.mod | 2 +- go.sum | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index e9ace5f53..d57045d8b 100644 --- a/go.mod +++ b/go.mod @@ -69,7 +69,7 @@ require ( github.com/hashicorp/go-uuid v1.0.1 github.com/hashicorp/go-version v1.2.0 github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f - github.com/hashicorp/hcl/v2 v2.6.0 + github.com/hashicorp/hcl/v2 v2.6.1-0.20200925151948-a0de289809fb github.com/hashicorp/memberlist v0.1.0 // indirect github.com/hashicorp/serf v0.0.0-20160124182025-e4ec8cc423bb // indirect github.com/hashicorp/terraform-config-inspect v0.0.0-20191212124732-c6ae6269b9d7 diff --git a/go.sum b/go.sum index 16aca17fa..f007de227 100644 --- a/go.sum +++ b/go.sum @@ -277,6 +277,10 @@ github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh github.com/hashicorp/hcl/v2 v2.0.0/go.mod h1:oVVDG71tEinNGYCxinCYadcmKU9bglqW9pV3txagJ90= github.com/hashicorp/hcl/v2 v2.6.0 h1:3krZOfGY6SziUXa6H9PJU6TyohHn7I+ARYnhbeNBz+o= github.com/hashicorp/hcl/v2 v2.6.0/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/hcl/v2 v2.6.1-0.20200924164639-8eccdca8f95e h1:FC0v89ARfanOQUIZMTism4dw8riV9egA5lA2aFbxh2M= +github.com/hashicorp/hcl/v2 v2.6.1-0.20200924164639-8eccdca8f95e/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/hcl/v2 v2.6.1-0.20200925151948-a0de289809fb h1:mt4Roh7CUTNmwwtPqUYtxxz+viwpCLXoLW2bwlcq6RE= +github.com/hashicorp/hcl/v2 v2.6.1-0.20200925151948-a0de289809fb/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= github.com/hashicorp/memberlist v0.1.0 h1:qSsCiC0WYD39lbSitKNt40e30uorm2Ss/d4JGU1hzH8= github.com/hashicorp/memberlist v0.1.0/go.mod h1:ncdBp14cuox2iFOq3kDiquKU6fqsTBc3W6JvZwjxxsE= github.com/hashicorp/serf v0.0.0-20160124182025-e4ec8cc423bb h1:ZbgmOQt8DOg796figP87/EFCVx2v2h9yRvwHF/zceX4= From e41b2ef2d4f368dafa0c412b676cdd84eb1c6afe Mon Sep 17 00:00:00 2001 From: Alisdair McDiarmid Date: Fri, 25 Sep 2020 11:30:38 -0400 Subject: [PATCH 3/3] terraform: Add test for complex sensitive values When a sensitive variable has a complex type, any traversal of the variable should still result in a sensitive value. This test uses a sensitive `map(string)` and verifies that both plan and state output include the appropriate sensitive marks for the resource attribute. --- terraform/context_apply_test.go | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/terraform/context_apply_test.go b/terraform/context_apply_test.go index 4e0c2192e..2d3cb8752 100644 --- a/terraform/context_apply_test.go +++ b/terraform/context_apply_test.go @@ -11995,3 +11995,66 @@ resource "test_resource" "foo" { t.Fatalf("apply errors: %s", diags.Err()) } } + +func TestContext2Apply_variableSensitivityPropagation(t *testing.T) { + m := testModuleInline(t, map[string]string{ + "main.tf": ` +terraform { + experiments = [sensitive_variables] +} + +variable "sensitive_map" { + type = map(string) + default = { + "x" = "foo" + } + sensitive = true +} + +resource "test_resource" "foo" { + value = var.sensitive_map.x +}`, + }) + + p := testProvider("test") + p.ApplyFn = testApplyFn + p.DiffFn = testDiffFn + + ctx := testContext2(t, &ContextOpts{ + Config: m, + Providers: map[addrs.Provider]providers.Factory{ + addrs.NewDefaultProvider("test"): testProviderFuncFixed(p), + }, + }) + + plan, diags := ctx.Plan() + if diags.HasErrors() { + t.Fatalf("plan errors: %s", diags.Err()) + } + + verifySensitiveValue := func(pvms []cty.PathValueMarks) { + if len(pvms) != 1 { + t.Fatalf("expected 1 sensitive path, got %d", len(pvms)) + } + pvm := pvms[0] + if gotPath, wantPath := pvm.Path, cty.GetAttrPath("value"); !gotPath.Equals(wantPath) { + t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath) + } + if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) { + t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks) + } + } + + addr := mustResourceInstanceAddr("test_resource.foo") + + fooChangeSrc := plan.Changes.ResourceInstance(addr) + verifySensitiveValue(fooChangeSrc.AfterValMarks) + + state, diags := ctx.Apply() + if diags.HasErrors() { + t.Fatalf("apply errors: %s", diags.Err()) + } + + fooState := state.ResourceInstance(addr) + verifySensitiveValue(fooState.Current.AttrSensitivePaths) +}