diff --git a/terraform/context_plan_test.go b/terraform/context_plan_test.go index 3bc98005e..bdb4af3ab 100644 --- a/terraform/context_plan_test.go +++ b/terraform/context_plan_test.go @@ -5687,6 +5687,67 @@ func TestContext2Plan_variableSensitivity(t *testing.T) { } } +func TestContext2Plan_variableSensitivityModule(t *testing.T) { + m := testModule(t, "plan-variable-sensitivity-module") + + p := testProvider("aws") + p.PlanResourceChangeFn = func(req providers.PlanResourceChangeRequest) (resp providers.PlanResourceChangeResponse) { + resp.PlannedState = req.ProposedNewState + return + } + + ctx := testContext2(t, &ContextOpts{ + Config: m, + Providers: map[addrs.Provider]providers.Factory{ + addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p), + }, + }) + + plan, diags := ctx.Plan() + if diags.HasErrors() { + t.Fatalf("unexpected errors: %s", diags.Err()) + } + schema := p.GetSchemaReturn.ResourceTypes["aws_instance"] + ty := schema.ImpliedType() + + if len(plan.Changes.Resources) != 1 { + t.Fatal("expected 1 changes, got", len(plan.Changes.Resources)) + } + + for _, res := range plan.Changes.Resources { + if res.Action != plans.Create { + t.Fatalf("expected resource creation, got %s", res.Action) + } + ric, err := res.Decode(ty) + if err != nil { + t.Fatal(err) + } + + switch i := ric.Addr.String(); i { + case "module.child.aws_instance.foo": + checkVals(t, objectVal(t, schema, map[string]cty.Value{ + "foo": cty.StringVal("foo"), + }), ric.After) + if len(res.ChangeSrc.BeforeValMarks) != 0 { + t.Errorf("unexpected BeforeValMarks: %#v", res.ChangeSrc.BeforeValMarks) + } + if len(res.ChangeSrc.AfterValMarks) != 1 { + t.Errorf("unexpected AfterValMarks: %#v", res.ChangeSrc.AfterValMarks) + continue + } + pvm := res.ChangeSrc.AfterValMarks[0] + if got, want := pvm.Path, cty.GetAttrPath("foo"); !got.Equals(want) { + t.Errorf("unexpected path for mark\n got: %#v\nwant: %#v", got, want) + } + if got, want := pvm.Marks, cty.NewValueMarks("sensitive"); !got.Equal(want) { + t.Errorf("unexpected value for mark\n got: %#v\nwant: %#v", got, want) + } + default: + t.Fatal("unknown instance:", i) + } + } +} + func checkVals(t *testing.T, expected, got cty.Value) { t.Helper() if !cmp.Equal(expected, got, valueComparer, typeComparer, equateEmpty) { diff --git a/terraform/testdata/plan-variable-sensitivity-module/child/main.tf b/terraform/testdata/plan-variable-sensitivity-module/child/main.tf new file mode 100644 index 000000000..1e1a07b1d --- /dev/null +++ b/terraform/testdata/plan-variable-sensitivity-module/child/main.tf @@ -0,0 +1,7 @@ +variable "foo" { + type = string +} + +resource "aws_instance" "foo" { + foo = var.foo +} diff --git a/terraform/testdata/plan-variable-sensitivity-module/main.tf b/terraform/testdata/plan-variable-sensitivity-module/main.tf new file mode 100644 index 000000000..4673fb05b --- /dev/null +++ b/terraform/testdata/plan-variable-sensitivity-module/main.tf @@ -0,0 +1,13 @@ +terraform { + experiments = [sensitive_variables] +} + +variable "sensitive_var" { + default = "foo" + sensitive = true +} + +module "child" { + source = "./child" + foo = var.sensitive_var +}