From f2fe0ceb0a88c34b44f01de34713fdd2cca5b868 Mon Sep 17 00:00:00 2001 From: Pam Selle <204372+pselle@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:23:54 -0400 Subject: [PATCH] Implement module merge for sensitive config Implements merging behavior for when sensitive is set on a variable and adds testing accordingly --- configs/module_merge.go | 4 ++ configs/module_merge_test.go | 59 +++++++++++++++++++ configs/named_values.go | 2 + .../override-variable/a_override.tf | 23 ++++++++ .../override-variable/b_override.tf | 21 +++++++ .../override-variable/primary.tf | 27 +++++++++ 6 files changed, 136 insertions(+) create mode 100644 configs/testdata/warning-modules/override-variable/a_override.tf create mode 100644 configs/testdata/warning-modules/override-variable/b_override.tf create mode 100644 configs/testdata/warning-modules/override-variable/primary.tf diff --git a/configs/module_merge.go b/configs/module_merge.go index b8d094959..b3db79c9e 100644 --- a/configs/module_merge.go +++ b/configs/module_merge.go @@ -42,6 +42,10 @@ func (v *Variable) merge(ov *Variable) hcl.Diagnostics { v.Description = ov.Description v.DescriptionSet = ov.DescriptionSet } + if ov.SensitiveSet { + v.Sensitive = ov.Sensitive + v.SensitiveSet = ov.SensitiveSet + } if ov.Default != cty.NilVal { v.Default = ov.Default } diff --git a/configs/module_merge_test.go b/configs/module_merge_test.go index e524cc172..b9a4e456c 100644 --- a/configs/module_merge_test.go +++ b/configs/module_merge_test.go @@ -1,6 +1,7 @@ package configs import ( + "fmt" "testing" "github.com/hashicorp/hcl/v2" @@ -227,6 +228,64 @@ func TestModuleOverrideDynamic(t *testing.T) { }) } +func TestModuleOverrideSensitiveVariable(t *testing.T) { + type testCase struct { + sensitive bool + sensitiveSet bool + } + cases := map[string]testCase{ + "false_true": { + sensitive: true, + sensitiveSet: true, + }, + "true_false": { + sensitive: false, + sensitiveSet: true, + }, + "false_false_true": { + sensitive: true, + sensitiveSet: true, + }, + "true_true_false": { + sensitive: false, + sensitiveSet: true, + }, + "false_true_false": { + sensitive: false, + sensitiveSet: true, + }, + "true_false_true": { + sensitive: true, + sensitiveSet: true, + }, + } + + // TODO: When variable sensitivity is no longer experimental, + // move this test folder to "valid-modules" (it currently has a warning) + // and activate the diags assertion + mod, _ := testModuleFromDir("testdata/warning-modules/override-variable") + + // assertNoDiagnostics(t, diags) + + if mod == nil { + t.Fatalf("module is nil") + } + + got := mod.Variables + + for v, want := range cases { + t.Run(fmt.Sprintf("variable %s", v), func(t *testing.T) { + if got[v].Sensitive != want.sensitive { + t.Errorf("wrong result for sensitive\ngot: %t want: %t", got[v].Sensitive, want.sensitive) + } + + if got[v].SensitiveSet != want.sensitiveSet { + t.Errorf("wrong result for sensitive set\ngot: %t want: %t", got[v].Sensitive, want.sensitive) + } + }) + } +} + func TestModuleOverrideResourceFQNs(t *testing.T) { mod, diags := testModuleFromDir("testdata/valid-modules/override-resource-provider") assertNoDiagnostics(t, diags) diff --git a/configs/named_values.go b/configs/named_values.go index cd593405a..4b3259963 100644 --- a/configs/named_values.go +++ b/configs/named_values.go @@ -28,6 +28,7 @@ type Variable struct { Sensitive bool DescriptionSet bool + SensitiveSet bool DeclRange hcl.Range } @@ -98,6 +99,7 @@ func decodeVariableBlock(block *hcl.Block, override bool) (*Variable, hcl.Diagno if attr, exists := content.Attributes["sensitive"]; exists { valDiags := gohcl.DecodeExpression(attr.Expr, nil, &v.Sensitive) diags = append(diags, valDiags...) + v.SensitiveSet = true } if attr, exists := content.Attributes["default"]; exists { diff --git a/configs/testdata/warning-modules/override-variable/a_override.tf b/configs/testdata/warning-modules/override-variable/a_override.tf new file mode 100644 index 000000000..f2ece93df --- /dev/null +++ b/configs/testdata/warning-modules/override-variable/a_override.tf @@ -0,0 +1,23 @@ +variable "false_true" { + sensitive = true +} + +variable "true_false" { + sensitive = false +} + +variable "false_false_true" { + sensitive = false +} + +variable "true_true_false" { + sensitive = true +} + +variable "false_true_false" { + sensitive = true +} + +variable "true_false_true" { + sensitive = false +} diff --git a/configs/testdata/warning-modules/override-variable/b_override.tf b/configs/testdata/warning-modules/override-variable/b_override.tf new file mode 100644 index 000000000..e58e5b3d1 --- /dev/null +++ b/configs/testdata/warning-modules/override-variable/b_override.tf @@ -0,0 +1,21 @@ +variable "false_true" { +} + +variable "true_false" { +} + +variable "false_false_true" { + sensitive = true +} + +variable "true_true_false" { + sensitive = false +} + +variable "false_true_false" { + sensitive = false +} + +variable "true_false_true" { + sensitive = true +} diff --git a/configs/testdata/warning-modules/override-variable/primary.tf b/configs/testdata/warning-modules/override-variable/primary.tf new file mode 100644 index 000000000..54c73a386 --- /dev/null +++ b/configs/testdata/warning-modules/override-variable/primary.tf @@ -0,0 +1,27 @@ +terraform { + experiments = [sensitive_variables] +} + +variable "false_true" { + sensitive = false +} + +variable "true_false" { + sensitive = true +} + +variable "false_false_true" { + sensitive = false +} + +variable "true_true_false" { + sensitive = true +} + +variable "false_true_false" { + sensitive = false +} + +variable "true_false_true" { + sensitive = true +}