From 6fb010f26dc281be18ed61014cd6ce49808b4292 Mon Sep 17 00:00:00 2001
From: Alisdair McDiarmid <alisdair@users.noreply.github.com>
Date: Thu, 18 Feb 2021 10:47:53 -0500
Subject: [PATCH] core: Unmark provisioner config before validation

Sensitive values in provisioner configuration would cause errors in the
validate phase. We need to unmark these value before serializing the
config value for the provisioner plugin.
---
 terraform/context_validate_test.go            | 31 +++++++++++++++++++
 terraform/eval_validate.go                    |  4 ++-
 .../main.tf                                   | 11 +++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 terraform/testdata/validate-sensitive-provisioner-config/main.tf

diff --git a/terraform/context_validate_test.go b/terraform/context_validate_test.go
index 701350ac76ef..5d15892b20c9 100644
--- a/terraform/context_validate_test.go
+++ b/terraform/context_validate_test.go
@@ -1856,3 +1856,34 @@ output "out" {
 		}
 	}
 }
+
+func TestContext2Validate_sensitiveProvisionerConfig(t *testing.T) {
+	m := testModule(t, "validate-sensitive-provisioner-config")
+	p := testProvider("aws")
+	pr := simpleMockProvisioner()
+
+	c := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
+		},
+		Provisioners: map[string]provisioners.Factory{
+			"test": testProvisionerFuncFixed(pr),
+		},
+	})
+
+	pr.ValidateProvisionerConfigFn = func(r provisioners.ValidateProvisionerConfigRequest) provisioners.ValidateProvisionerConfigResponse {
+		if r.Config.ContainsMarked() {
+			t.Errorf("provisioner config contains marked values")
+		}
+		return pr.ValidateProvisionerConfigResponse
+	}
+
+	diags := c.Validate()
+	if diags.HasErrors() {
+		t.Fatalf("unexpected error: %s", diags.Err())
+	}
+	if !pr.ValidateProvisionerConfigCalled {
+		t.Fatal("ValidateProvisionerConfig not called")
+	}
+}
diff --git a/terraform/eval_validate.go b/terraform/eval_validate.go
index e0269fee75a0..bfcbcb412c82 100644
--- a/terraform/eval_validate.go
+++ b/terraform/eval_validate.go
@@ -93,8 +93,10 @@ func (n *EvalValidateProvisioner) Validate(ctx EvalContext) error {
 		return fmt.Errorf("EvaluateBlock returned nil value")
 	}
 
+	// Use unmarked value for validate request
+	unmarkedConfigVal, _ := configVal.UnmarkDeep()
 	req := provisioners.ValidateProvisionerConfigRequest{
-		Config: configVal,
+		Config: unmarkedConfigVal,
 	}
 
 	resp := provisioner.ValidateProvisionerConfig(req)
diff --git a/terraform/testdata/validate-sensitive-provisioner-config/main.tf b/terraform/testdata/validate-sensitive-provisioner-config/main.tf
new file mode 100644
index 000000000000..88a37275a835
--- /dev/null
+++ b/terraform/testdata/validate-sensitive-provisioner-config/main.tf
@@ -0,0 +1,11 @@
+variable "secret" {
+  type      = string
+  default   = " password123"
+  sensitive = true
+}
+
+resource "aws_instance" "foo" {
+  provisioner "test" {
+    test_string = var.secret
+  }
+}