feat: sanitize config module_calls. (#9)

terramate-io · Jul 17, 2024 · 88c5674 · 88c5674
2 parents 0be1534 + c7af8cc
commit 88c5674
Show file tree

Hide file tree

Showing 4 changed files with 1,215 additions and 19 deletions.
diff --git a/sanitize/sanitize_config.go b/sanitize/sanitize_config.go
@@ -59,21 +59,42 @@ func SanitizeConfigVariables(old map[string]*tfjson.ConfigVariable, replaceWith
 	return variables, nil
 }
 
-func SanitizeModuleResourceProvisioners(old []*tfjson.ConfigResource, replaceWith interface{}) ([]*tfjson.ConfigResource, error) {
-	resources := make([]*tfjson.ConfigResource, len(old))
-	for i, res := range old {
-		r, err := copyConfigResource(res)
-		if err != nil {
-			return nil, err
-		}
-		for _, prov := range r.Provisioners {
-			for _, expr := range prov.Expressions {
+func sanitizeModuleConfig(module *tfjson.ConfigModule, replaceWith interface{}) error {
+	var err error
+	module.Variables, err = SanitizeConfigVariables(module.Variables, replaceWith)
+	if err != nil {
+		return err
+	}
+
+	for _, res := range module.Resources {
+		sanitizeResourceConfig(res, replaceWith)
+	}
+
+	for _, mod := range module.ModuleCalls {
+		for name, expr := range mod.Expressions {
+			if mod.Module.Variables == nil {
+				// NOTE(i4k): this should never happen because a module always define all its input.
+				// but in case we are dealing with a pre-processed JSON, this ensures
+				// we don't leak variables missing definitions.
 				sanitizeExpression(expr, replaceWith)
 			}
+			if varConfig, ok := mod.Module.Variables[name]; ok && varConfig.Sensitive {
+				sanitizeExpression(expr, replaceWith)
+			}
+		}
+
+		sanitizeModuleConfig(mod.Module, replaceWith)
+	}
+
+	return nil
+}
+
+func sanitizeResourceConfig(r *tfjson.ConfigResource, replaceWith interface{}) {
+	for _, prov := range r.Provisioners {
+		for _, expr := range prov.Expressions {
+			sanitizeExpression(expr, replaceWith)
 		}
-		resources[i] = r
 	}
-	return resources, nil
 }
 
 func sanitizeExpression(expression *tfjson.Expression, replaceWith interface{}) {

diff --git a/sanitize/sanitize_plan.go b/sanitize/sanitize_plan.go
@@ -119,14 +119,8 @@ func SanitizePlanWithValue(old *tfjson.Plan, replaceWith interface{}) (*tfjson.P
 		return nil, err
 	}
 
-	// Sanitize RootModule variables
-	result.Config.RootModule.Variables, err = SanitizeConfigVariables(result.Config.RootModule.Variables, replaceWith)
-	if err != nil {
-		return nil, err
-	}
-
-	// Sanitize RootModule resource provisioners
-	result.Config.RootModule.Resources, err = SanitizeModuleResourceProvisioners(result.Config.RootModule.Resources, replaceWith)
+	// Sanitize RootModule recursively into module calls and child_modules
+	err = sanitizeModuleConfig(result.Config.RootModule, replaceWith)
 	if err != nil {
 		return nil, err
 	}