From 78b69ab5d80ceb4e9d355696a3259a9385778d2e Mon Sep 17 00:00:00 2001
From: Daniel Schmidt <danielmschmidt92@gmail.com>
Date: Wed, 20 Nov 2024 13:47:09 +0100
Subject: [PATCH] ephemeral: allow ephemeral values in write-only attributes

---
 internal/terraform/node_resource_validate.go | 31 +++++++++++---------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/internal/terraform/node_resource_validate.go b/internal/terraform/node_resource_validate.go
index 7d4a0c00c2..f232da7912 100644
--- a/internal/terraform/node_resource_validate.go
+++ b/internal/terraform/node_resource_validate.go
@@ -749,21 +749,24 @@ func validateDependsOn(ctx EvalContext, dependsOn []hcl.Traversal) (diags tfdiag
 // by calling [tfdiags.Diagnostics.InConfigBody] before returning them to
 // any caller that expects fully-resolved diagnostics.
 func validateResourceForbiddenEphemeralValues(ctx EvalContext, value cty.Value, schema *configschema.Block) (diags tfdiags.Diagnostics) {
-	// NOTE: We take a schema argument in anticipation of a future feature
-	// that might allow managed resources to declare certain attributes as
-	// being "write-only", which would create a little nested island where
-	// ephemeral values are permitted in return for providers accepting that
-	// those values will not be preserved between plan and apply or between
-	// sequential plan/apply rounds. But we aren't doing that yet, so we
-	// just ignore that argument for now.
-
 	for _, path := range ephemeral.EphemeralValuePaths(value) {
-		diags = diags.Append(tfdiags.AttributeValue(
-			tfdiags.Error,
-			"Invalid use of ephemeral value",
-			"Ephemeral values are not valid in resource arguments, because resource instances must persist between Terraform phases.",
-			path,
-		))
+		attr := schema.AttributeByPath(path)
+		if attr == nil {
+			diags = diags.Append(tfdiags.AttributeValue(
+				tfdiags.Error,
+				"Could not find schema for attribute",
+				"This is most likely a bug in Terraform, please report it.",
+				path,
+			))
+		} else if !attr.WriteOnly {
+			diags = diags.Append(tfdiags.AttributeValue(
+				tfdiags.Error,
+				"Invalid use of ephemeral value",
+				"Ephemeral values are not valid in resource arguments, because resource instances must persist between Terraform phases.",
+				path,
+			))
+		}
+
 	}
 	return diags
 }