From e45eca4dc5d74d800145f985e6e2617650398d09 Mon Sep 17 00:00:00 2001
From: Jason Dunsmore <jasondunsmore@gmail.com>
Date: Wed, 10 Jun 2015 15:19:45 -0500
Subject: [PATCH] Copy environment before decrypting

This is to prevent the decrypted values from being written to the
database.

Change-Id: Iab8d4d737e3fd839a12d8782367ff0b731f93fe7
Closes-Bug: #1463929
Co-Authored-By: Thomas Herve <therve@redhat.com>
---
 heat/objects/raw_template.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/heat/objects/raw_template.py b/heat/objects/raw_template.py
index af20200726..473115bbfd 100644
--- a/heat/objects/raw_template.py
+++ b/heat/objects/raw_template.py
@@ -17,6 +17,8 @@
 RawTemplate object
 """
 
+import copy
+
 from oslo_config import cfg
 from oslo_utils import encodeutils
 from oslo_versionedobjects import base
@@ -46,6 +48,7 @@ class RawTemplate(
         for field in tpl.fields:
             tpl[field] = db_tpl[field]
 
+        tpl.environment = copy.deepcopy(tpl.environment)
         # If any of the parameters were encrypted, then decrypt them
         if env_fmt.ENCRYPTED_PARAM_NAMES in tpl.environment:
             parameters = tpl.environment[env_fmt.PARAMETERS]