Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

templatefile variables need to be unmarked for TypeFunc #36127

Merged
merged 1 commit into from
Nov 29, 2024

Conversation

jbardin
Copy link
Member

@jbardin jbardin commented Nov 27, 2024

The templatefile function actually calls the full renderer within the TypeFunc to determine what the resulting type might be, but that also requires unmarking the top-level of the vars map to strip marks even though the value is unused.

Fixes #36123

Target Release

v1.10.1

Draft CHANGELOG entry

BUG FIXES

  • config: templatefile panics when given a sensitive or ephemeral collection of variables

The templatefile function actually calls the full renderer within the
TypeFunc to determine what the resulting might be, but that also
requires unmarking the top-level of the vars map to strip marks even
though the value is unused.
@jbardin jbardin added the 1.10-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label Nov 27, 2024
@jbardin jbardin requested a review from a team as a code owner November 27, 2024 21:31
Copy link
Member

@liamcervante liamcervante left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me, but I'm curious why this wasn't broken prior to 1.10?

@jbardin jbardin merged commit b66fbb0 into main Nov 29, 2024
8 checks passed
@jbardin jbardin deleted the jbardin/templatefile-marks branch November 29, 2024 15:34
Copy link
Contributor

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@jbardin
Copy link
Member Author

jbardin commented Nov 29, 2024

@liamcervante, functions can't opt into only handling one of unknown OR marked values, because the shortcut logic for one option can't take into account the other. We had to change the marks or unknown handling for a lot of core functions in order to get the desired ephemeral behavior, but templatefile got missed both because the rendering function is a closure create outside the impl body and wasn't noticed, and that same renderer is also called within the type function.

Copy link
Contributor

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
1.10-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Terraform v1.10 templatefile can't accept secrets
2 participants