Skip to content

Backport of validation: don't strip marks from variables during validation into v1.13 #37604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 15, 2025
Merged

Backport of validation: don't strip marks from variables during validation into v1.13 #37604

merged 2 commits into from
Sep 15, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Sep 12, 2025

Backport

This PR is auto-generated from #37595 to be assessed for backporting due to the inclusion of the label 1.13-backport.

The below text is copied from the body of the original PR.

There is custom logic for variable validations, explained in the surrounding comment. This was actually also stripping away sensitive and ephemeral metadata (or more accurately, just not adding it). This metadata is added by the usual approach of generating the HCL context. This meant errors during variable validation would expose sensitive values.

This PR updates the custom logic so that it only generates the value itself during the validate walk (which is the only time the custom logic is actually needed). For the validate walk, all variables are unknown anyway so the metadata doesn't matter.

Now, during other walks (eg. plan and apply) the real data is used, that does have the sensitive metadata attached. This means the sensitive metadata is no longer being exposed.

Target Release

1.13.2

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.
Overview of commits

@github-actions github-actions bot force-pushed the backport/liamcervante/validate/variable-conditions/quietly-fresh-goshawk branch from 886a8ad to 5534e3d Compare September 12, 2025 14:39
@liamcervante liamcervante marked this pull request as ready for review September 12, 2025 14:46
@liamcervante liamcervante requested a review from a team as a code owner September 12, 2025 14:46
liamcervante
liamcervante previously approved these changes Sep 12, 2025
View reviewed changes
@liamcervante liamcervante merged commit 54ceb05 into v1.13 Sep 15, 2025
13 of 15 checks passed
@liamcervante liamcervante deleted the backport/liamcervante/validate/variable-conditions/quietly-fresh-goshawk branch September 15, 2025 08:20
@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 16, 2025

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@matejrisek matejrisek matejrisek approved these changes

@SarahFrench SarahFrench SarahFrench approved these changes

@liamcervante liamcervante liamcervante left review comments

Assignees

@liamcervante liamcervante

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@matejrisek @SarahFrench @liamcervante