From 1fa65bdd91853fd5cb1d937d696dd8e0508b92aa Mon Sep 17 00:00:00 2001
From: Alisdair McDiarmid <alisdair@users.noreply.github.com>
Date: Tue, 5 Jan 2021 13:49:04 -0500
Subject: [PATCH] core: Fix sensitive value variable validation

Binding a sensitive value to a variable with custom validation rules
would cause a panic, as the validation expression carries the sensitive
mark when it is evaluated for truthiness. This commit drops the marks
before testing, which fixes the issue.
---
 terraform/context_plan_test.go                | 20 +++++++++++++++++++
 terraform/eval_variable.go                    |  5 +++++
 .../child/child.tf                            |  8 ++++++++
 .../validate-variable-custom-validations.tf   | 10 ++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf
 create mode 100644 terraform/testdata/validate-variable-custom-validations-child-sensitive/validate-variable-custom-validations.tf

diff --git a/terraform/context_plan_test.go b/terraform/context_plan_test.go
index 3fd0e7fab..a688998fc 100644
--- a/terraform/context_plan_test.go
+++ b/terraform/context_plan_test.go
@@ -6725,3 +6725,23 @@ resource "test_resource" "foo" {
 		}
 	}
 }
+
+func TestContext2Plan_variableCustomValidationsSensitive(t *testing.T) {
+	m := testModule(t, "validate-variable-custom-validations-child-sensitive")
+
+	p := testProvider("test")
+	ctx := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("test"): testProviderFuncFixed(p),
+		},
+	})
+
+	_, diags := ctx.Plan()
+	if !diags.HasErrors() {
+		t.Fatal("succeeded; want errors")
+	}
+	if got, want := diags.Err().Error(), `Invalid value for variable: Value must not be "nope".`; !strings.Contains(got, want) {
+		t.Fatalf("wrong error:\ngot:  %s\nwant: message containing %q", got, want)
+	}
+}
diff --git a/terraform/eval_variable.go b/terraform/eval_variable.go
index cd91fcc7c..34669f966 100644
--- a/terraform/eval_variable.go
+++ b/terraform/eval_variable.go
@@ -81,6 +81,11 @@ func evalVariableValidations(addr addrs.AbsInputVariableInstance, config *config
 			continue
 		}
 
+		// Validation condition may be marked if the input variable is bound to
+		// a sensitive value. This is irrelevant to the validation process, so
+		// we discard the marks now.
+		result, _ = result.Unmark()
+
 		if result.False() {
 			if expr != nil {
 				diags = diags.Append(&hcl.Diagnostic{
diff --git a/terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf b/terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf
new file mode 100644
index 000000000..05027f75a
--- /dev/null
+++ b/terraform/testdata/validate-variable-custom-validations-child-sensitive/child/child.tf
@@ -0,0 +1,8 @@
+variable "test" {
+  type = string
+
+  validation {
+    condition     = var.test != "nope"
+    error_message = "Value must not be \"nope\"."
+  }
+}
diff --git a/terraform/testdata/validate-variable-custom-validations-child-sensitive/validate-variable-custom-validations.tf b/terraform/testdata/validate-variable-custom-validations-child-sensitive/validate-variable-custom-validations.tf
new file mode 100644
index 000000000..4f436db11
--- /dev/null
+++ b/terraform/testdata/validate-variable-custom-validations-child-sensitive/validate-variable-custom-validations.tf
@@ -0,0 +1,10 @@
+variable "test" {
+  sensitive = true
+  default = "nope"
+}
+
+module "child" {
+  source = "./child"
+
+  test = var.test
+}