Add support sensitive variables in TestRunner (#337)

Author: wata727

helper/runner.go

@@ -7,10 +7,12 @@ import (
 	"reflect"
 
 	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/gohcl"
 	"github.com/hashicorp/hcl/v2/hclsyntax"
 	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
 	"github.com/terraform-linters/tflint-plugin-sdk/internal"
 	"github.com/terraform-linters/tflint-plugin-sdk/terraform/addrs"
+	"github.com/terraform-linters/tflint-plugin-sdk/terraform/lang/marks"
 	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/convert"
@@ -410,6 +412,9 @@ func decodeVariableBlock(block *hcl.Block) (*Variable, hcl.Diagnostics) {
 			{
 				Name: "default",
 			},
+			{
+				Name: "sensitive",
+			},
 		},
 	})
 	if diags.HasErrors() {
@@ -424,6 +429,15 @@ func decodeVariableBlock(block *hcl.Block) (*Variable, hcl.Diagnostics) {
 
 		v.Default = val
 	}
+	if attr, exists := content.Attributes["sensitive"]; exists {
+		var sensitive bool
+		diags := gohcl.DecodeExpression(attr.Expr, nil, &sensitive)
+		if diags.HasErrors() {
+			return v, diags
+		}
+
+		v.Default = v.Default.Mark(marks.Sensitive)
+	}
 
 	return v, nil
 }

helper/runner_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/hcl/v2/hclsyntax"
 	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
 	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/zclconf/go-cty/cty"
 )
 
 func Test_GetResourceContent(t *testing.T) {
@@ -536,7 +537,7 @@ func Test_DecodeRuleConfig_config_not_found(t *testing.T) {
 	}
 }
 
-func Test_EvaluateExpr(t *testing.T) {
+func Test_EvaluateExpr_string(t *testing.T) {
 	tests := []struct {
 		Name string
 		Src  string
@@ -601,6 +602,64 @@ resource "aws_instance" "foo" {
 	}
 }
 
+func Test_EvaluateExpr_value(t *testing.T) {
+	tests := []struct {
+		Name string
+		Src  string
+		Want string
+	}{
+		{
+			Name: "sensitive variable",
+			Src: `
+variable "instance_type" {
+  type = string
+  default = "secret"
+  sensitive = true
+}
+
+resource "aws_instance" "foo" {
+  instance_type = var.instance_type
+}`,
+			Want: `cty.StringVal("secret").Mark(marks.Sensitive)`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			runner := TestRunner(t, map[string]string{"main.tf": test.Src})
+
+			resources, err := runner.GetResourceContent("aws_instance", &hclext.BodySchema{
+				Attributes: []hclext.AttributeSchema{{Name: "instance_type"}},
+			}, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			for _, resource := range resources.Blocks {
+				// raw value
+				var instanceType cty.Value
+				if err := runner.EvaluateExpr(resource.Body.Attributes["instance_type"].Expr, &instanceType, nil); err != nil {
+					t.Fatal(err)
+				}
+
+				if instanceType.GoString() != test.Want {
+					t.Fatalf(`"%s" is expected, but got "%s"`, test.Want, instanceType.GoString())
+				}
+
+				// callback
+				if err := runner.EvaluateExpr(resource.Body.Attributes["instance_type"].Expr, func(val cty.Value) error {
+					if instanceType.GoString() != test.Want {
+						t.Fatalf(`"%s" is expected, but got "%s"`, test.Want, instanceType.GoString())
+					}
+					return nil
+				}, nil); err != nil {
+					t.Fatal(err)
+				}
+			}
+		})
+	}
+}
+
 type dummyRule struct {
 	tflint.DefaultRule
 }