From 89aea31bbd9a1992341cde7b363ff580142a8b75 Mon Sep 17 00:00:00 2001
From: CJ Horton <cjhorton@hashicorp.com>
Date: Mon, 11 Dec 2023 09:24:56 -0800
Subject: [PATCH] stackstate: sensitive values are preserved when deserializing

Without this, sensitive values cause a permadiff, since their
sensitivity is lost on every round trip through state.
---
 internal/plans/planfile/tfplan.go        | 12 ++++++++++++
 internal/stacks/stackstate/from_proto.go | 17 ++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/internal/plans/planfile/tfplan.go b/internal/plans/planfile/tfplan.go
index 74b5afb413..8ac9c8cab4 100644
--- a/internal/plans/planfile/tfplan.go
+++ b/internal/plans/planfile/tfplan.go
@@ -906,6 +906,18 @@ func pathValueMarksToTfplan(pvm []cty.PathValueMarks) ([]*planproto.Path, error)
 	return ret, nil
 }
 
+// PathFromProto decodes a path to a nested attribute into a cty.Path for
+// use in tracking marked values.
+//
+// This is used by the stackstate package, which uses planproto.Path messages
+// while using a different overall container.
+func PathFromProto(path *planproto.Path) (cty.Path, error) {
+	if path == nil {
+		return nil, nil
+	}
+	return pathFromTfplan(path)
+}
+
 func pathFromTfplan(path *planproto.Path) (cty.Path, error) {
 	ret := make([]cty.PathStep, 0, len(path.Steps))
 	for _, step := range path.Steps {
diff --git a/internal/stacks/stackstate/from_proto.go b/internal/stacks/stackstate/from_proto.go
index 4995497f8a..461705a166 100644
--- a/internal/stacks/stackstate/from_proto.go
+++ b/internal/stacks/stackstate/from_proto.go
@@ -7,10 +7,13 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/terraform/internal/addrs"
+	"github.com/hashicorp/terraform/internal/lang/marks"
+	"github.com/hashicorp/terraform/internal/plans/planfile"
 	"github.com/hashicorp/terraform/internal/stacks/stackaddrs"
 	"github.com/hashicorp/terraform/internal/stacks/stackstate/statekeys"
 	"github.com/hashicorp/terraform/internal/stacks/tfstackdata1"
 	"github.com/hashicorp/terraform/internal/states"
+	"github.com/zclconf/go-cty/cty"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/reflect/protoreflect"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -217,7 +220,19 @@ func DecodeProtoResourceInstanceObject(protoObj *tfstackdata1.StateResourceInsta
 		return nil, fmt.Errorf("unsupported status %s", protoObj.Status.String())
 	}
 
-	// TODO: Deal with sensitive paths in protoObj.SensitivePaths
+	paths := make([]cty.PathValueMarks, 0, len(protoObj.SensitivePaths))
+	marks := cty.NewValueMarks(marks.Sensitive)
+	for _, p := range protoObj.SensitivePaths {
+		path, err := planfile.PathFromProto(p)
+		if err != nil {
+			return nil, err
+		}
+		paths = append(paths, cty.PathValueMarks{
+			Path:  path,
+			Marks: marks,
+		})
+	}
+	objSrc.AttrSensitivePaths = paths
 
 	if len(protoObj.Dependencies) != 0 {
 		objSrc.Dependencies = make([]addrs.ConfigResource, len(protoObj.Dependencies))