ensure outputs carry sensitive marks forward

Sensitive marks were lost from module outputs during the namedvals rewrite. Ensure output are evaluated with sensitive in accordance with their configuration.
12 months ago · bb1cd82d60
parent 6d6352220b
commit bb1cd82d60
2 changed files with 69 additions and 1 deletions
--- a/internal/terraform/context_plan2_test.go
+++ b/internal/terraform/context_plan2_test.go
@ -6847,3 +6847,68 @@ data "test_data_source" "foo" {

 	}
 }
+
+func TestContext2Plan_sensitiveOutput(t *testing.T) {
+	m := testModuleInline(t, map[string]string{
+		"main.tf": `
+module "child" {
+  source = "./child"
+}
+
+output "is_secret" {
+  // not only must the plan store the output as sensitive, it must also be
+  // evaluated as such
+  value = issensitive(module.child.secret)
+}
+`,
+		"./child/main.tf": `
+output "secret" {
+  sensitive = true
+  value = "test"
+}
+`,
+	})
+
+	ctx := testContext2(t, &ContextOpts{})
+
+	plan, diags := ctx.Plan(m, states.NewState(), DefaultPlanOpts)
+	tfdiags.AssertNoErrors(t, diags)
+
+	expectedChanges := &plans.Changes{
+		Outputs: []*plans.OutputChange{
+			{
+				Addr: mustAbsOutputValue("module.child.output.secret"),
+				Change: plans.Change{
+					Action:         plans.Create,
+					BeforeIdentity: cty.NullVal(cty.DynamicPseudoType),
+					AfterIdentity:  cty.NullVal(cty.DynamicPseudoType),
+					Before:         cty.NullVal(cty.DynamicPseudoType),
+					After:          cty.StringVal("test"),
+				},
+				Sensitive: true,
+			},
+			{
+				Addr: mustAbsOutputValue("output.is_secret"),
+				Change: plans.Change{
+					Action:         plans.Create,
+					BeforeIdentity: cty.NullVal(cty.DynamicPseudoType),
+					AfterIdentity:  cty.NullVal(cty.DynamicPseudoType),
+					Before:         cty.NullVal(cty.DynamicPseudoType),
+					After:          cty.True,
+				},
+			},
+		},
+	}
+	changes, err := plan.Changes.Decode(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sort.SliceStable(changes.Outputs, func(i, j int) bool {
+		return changes.Outputs[i].Addr.String() < changes.Outputs[j].Addr.String()
+	})
+
+	if diff := cmp.Diff(expectedChanges, changes, ctydebug.CmpOptions); diff != "" {
+		t.Fatalf("unexpected changes: %s", diff)
+	}
+}
--- a/internal/terraform/evaluate.go
+++ b/internal/terraform/evaluate.go
@ -430,7 +430,7 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
 		namedVals := d.Evaluator.NamedValues
 		moduleInstAddr := absAddr.Instance(instKey)
 		attrs := make(map[string]cty.Value, len(outputConfigs))
-		for name := range outputConfigs {
+		for name, cfg := range outputConfigs {
 			outputAddr := moduleInstAddr.OutputValue(name)

 			// Although we do typically expect the graph dependencies to
@ -446,6 +446,9 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
 				continue
 			}
 			outputVal := namedVals.GetOutputValue(outputAddr)
+			if cfg.Sensitive {
+				outputVal = outputVal.Mark(marks.Sensitive)
+			}
 			attrs[name] = outputVal
 		}