Merge 6494aa0 into backport/29156_do_not_log_sensitive_values/nearly-…

…safe-bullfrog
hashicorp · May 30, 2022 · 431a516 · 431a516
2 parents 874b56a + 6494aa0
commit 431a516
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/internal/terraform/eval_variable.go b/internal/terraform/eval_variable.go
@@ -113,8 +113,11 @@ func prepareFinalInputVariableValue(addr addrs.AbsInputVariableInstance, raw *In
 			// and not by the operator directly. In such a case, the failing secret value should not be
 			// displayed to the operator
 			if cfg.Sensitive {
-				subject = nil
-				detail += fmt.Sprintf("\n\n%s is marked as sensitive. Invalid value defined at %s.", addr, sourceRange.ToHCL())
+				detail = fmt.Sprintf(
+					"The given value is not suitable for %s, which is sensitive: %s. Invalid value defined at %s.",
+					addr, err, sourceRange.ToHCL(),
+				)
+				subject = cfg.DeclRange.Ptr()
 			}
 		}
 

diff --git a/internal/terraform/eval_variable_test.go b/internal/terraform/eval_variable_test.go
@@ -593,13 +593,11 @@ func TestPrepareFinalInputVariableValue(t *testing.T) {
 			{
 				ValueFromConfig,
 				tfdiags.SourceRange{
-					Filename: "example.tf",
+					Filename: "example.tfvars",
 					Start:    tfdiags.SourcePos(hcl.InitialPos),
 					End:      tfdiags.SourcePos(hcl.InitialPos),
 				},
-				`Invalid value for input variable: The given value is not suitable for var.constrained_string_sensitive_required declared at main.tf:46,3-51: string required.
-
-var.constrained_string_sensitive_required is marked as sensitive. Invalid value defined at example.tf:1,1-1.`,
+				`Invalid value for input variable: The given value is not suitable for var.constrained_string_sensitive_required, which is sensitive: string required. Invalid value defined at example.tfvars:1,1-1.`,
 				true,
 			},
 		}
@@ -626,8 +624,10 @@ var.constrained_string_sensitive_required is marked as sensitive. Invalid value
 						t.Errorf("wrong error\ngot:  %s\nwant: %s", got, want)
 					}
 
-					if test.HideSubject != (diags[0].Source().Subject == nil) {
-						t.Errorf("Subject (code context) should have been masked\ngot:  %v", diags[0].Source().Subject)
+					if test.HideSubject {
+						if got, want := diags[0].Source().Subject.StartString(), test.SourceRange.StartString(); got == want {
+							t.Errorf("Subject start should have been hidden, but was %s", got)
+						}
 					}
 				})
 			})