terraform: Test sensitive values in module inputs

Passing a sensitive value as a module input variable should preserve its sensitivity for the plan.
2020-09-16 16:54:04 -04:00 · 2020-09-16 16:54:04 -04:00 · e1a41daf9b
parent 9e340ab85b
commit e1a41daf9b
3 changed files with 81 additions and 0 deletions
--- a/terraform/context_plan_test.go
+++ b/terraform/context_plan_test.go
@ -5687,6 +5687,67 @@ func TestContext2Plan_variableSensitivity(t *testing.T) {
 	}
 }

+func TestContext2Plan_variableSensitivityModule(t *testing.T) {
+	m := testModule(t, "plan-variable-sensitivity-module")
+
+	p := testProvider("aws")
+	p.PlanResourceChangeFn = func(req providers.PlanResourceChangeRequest) (resp providers.PlanResourceChangeResponse) {
+		resp.PlannedState = req.ProposedNewState
+		return
+	}
+
+	ctx := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
+		},
+	})
+
+	plan, diags := ctx.Plan()
+	if diags.HasErrors() {
+		t.Fatalf("unexpected errors: %s", diags.Err())
+	}
+	schema := p.GetSchemaReturn.ResourceTypes["aws_instance"]
+	ty := schema.ImpliedType()
+
+	if len(plan.Changes.Resources) != 1 {
+		t.Fatal("expected 1 changes, got", len(plan.Changes.Resources))
+	}
+
+	for _, res := range plan.Changes.Resources {
+		if res.Action != plans.Create {
+			t.Fatalf("expected resource creation, got %s", res.Action)
+		}
+		ric, err := res.Decode(ty)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		switch i := ric.Addr.String(); i {
+		case "module.child.aws_instance.foo":
+			checkVals(t, objectVal(t, schema, map[string]cty.Value{
+				"foo": cty.StringVal("foo"),
+			}), ric.After)
+			if len(res.ChangeSrc.BeforeValMarks) != 0 {
+				t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks)
+			}
+			if len(res.ChangeSrc.AfterValMarks) != 1 {
+				t.Errorf("unexpected AfterValMarks: %#v", res.ChangeSrc.AfterValMarks)
+				continue
+			}
+			pvm := res.ChangeSrc.AfterValMarks[0]
+			if got, want := pvm.Path, cty.GetAttrPath("foo"); !got.Equals(want) {
+				t.Errorf("unexpected path for mark\n got: %#v\nwant: %#v", got, want)
+			}
+			if got, want := pvm.Marks, cty.NewValueMarks("sensitive"); !got.Equal(want) {
+				t.Errorf("unexpected value for mark\n got: %#v\nwant: %#v", got, want)
+			}
+		default:
+			t.Fatal("unknown instance:", i)
+		}
+	}
+}
+
 func checkVals(t *testing.T, expected, got cty.Value) {
 	t.Helper()
 	if !cmp.Equal(expected, got, valueComparer, typeComparer, equateEmpty) {
--- a/terraform/testdata/plan-variable-sensitivity-module/child/main.tf
+++ b/terraform/testdata/plan-variable-sensitivity-module/child/main.tf
@ -0,0 +1,7 @@
+variable "foo" {
+  type = string
+}
+
+resource "aws_instance" "foo" {
+  foo = var.foo
+}
--- a/terraform/testdata/plan-variable-sensitivity-module/main.tf
+++ b/terraform/testdata/plan-variable-sensitivity-module/main.tf
@ -0,0 +1,13 @@
+terraform {
+  experiments = [sensitive_variables]
+}
+
+variable "sensitive_var" {
+  default   = "foo"
+  sensitive = true
+}
+
+module "child" {
+  source = "./child"
+  foo    = var.sensitive_var
+}