Unmark before ElementIterator in couldHaveUnknownBlockPlaceholder

This is needed for cases where a variable may be fetched and become a member of a set, and thus the whole set is marked, which means ElementIterator will panic on unmarked values
2021-01-29 14:28:09 -05:00 · 2021-01-29 14:28:09 -05:00 · e6daf3dbf1
parent 5df11f2013
commit e6daf3dbf1
2 changed files with 47 additions and 0 deletions
--- a/plans/objchange/compatible.go
+++ b/plans/objchange/compatible.go
@ -357,6 +357,10 @@ func couldHaveUnknownBlockPlaceholder(v cty.Value, blockS *configschema.NestedBl
 			return false // treated as if the list were empty, so we would see zero iterations below
 		}

+		// Unmark before we call ElementIterator in case this iterable is marked sensitive.
+		// This can arise in the case where a member of a Set is sensitive, and thus the
+		// whole Set is marked sensitive
+		v, _ := v.Unmark()
 		// For all other nesting modes, our value should be something iterable.
 		for it := v.ElementIterator(); it.Next(); {
 			_, ev := it.Element()
--- a/plans/objchange/compatible_test.go
+++ b/plans/objchange/compatible_test.go
@ -194,6 +194,49 @@ func TestAssertObjectCompatible(t *testing.T) {
 				`.name: inconsistent values for sensitive attribute`,
 			},
 		},
+		{
+			// This tests the codepath that leads to couldHaveUnknownBlockPlaceholder,
+			// where a set may be sensitive and need to be unmarked before it
+			// is iterated upon
+			&configschema.Block{
+				BlockTypes: map[string]*configschema.NestedBlock{
+					"configuration": {
+						Nesting: configschema.NestingList,
+						Block: configschema.Block{
+							BlockTypes: map[string]*configschema.NestedBlock{
+								"sensitive_fields": {
+									Nesting: configschema.NestingSet,
+									Block:   schemaWithFoo,
+								},
+							},
+						},
+					},
+				},
+			},
+			cty.ObjectVal(map[string]cty.Value{
+				"configuration": cty.TupleVal([]cty.Value{
+					cty.ObjectVal(map[string]cty.Value{
+						"sensitive_fields": cty.SetVal([]cty.Value{
+							cty.ObjectVal(map[string]cty.Value{
+								"foo": cty.StringVal("secret"),
+							}),
+						}).Mark("sensitive"),
+					}),
+				}),
+			}),
+			cty.ObjectVal(map[string]cty.Value{
+				"configuration": cty.TupleVal([]cty.Value{
+					cty.ObjectVal(map[string]cty.Value{
+						"sensitive_fields": cty.SetVal([]cty.Value{
+							cty.ObjectVal(map[string]cty.Value{
+								"foo": cty.StringVal("secret"),
+							}),
+						}).Mark("sensitive"),
+					}),
+				}),
+			}),
+			nil,
+		},
 		{
 			&configschema.Block{
 				Attributes: map[string]*configschema.Attribute{