From b4c24c22f81925325c810cba678f6e58c6657922 Mon Sep 17 00:00:00 2001 From: James Bardin Date: Fri, 15 Nov 2024 10:36:34 -0500 Subject: [PATCH] issensitive must return unknown for unknown args Terraform attempts to track marks as accurately as possible, but unknown values may not always have the same marks as they will when they become known. This is most easily seen with functions, which are allowed to return an unknown value when faced with any unknown arguments, while they are also allowed to manipulate the marks on the values as they see fit. This results in situations where the marks simply cannot be known. Terraform generally takes the stance that if an unknown has a mark, it will remain in the final value, but the absence of a mark is not indicative of the absence of any marks in the final value. --- internal/lang/funcs/sensitive.go | 10 ++++++++-- internal/lang/funcs/sensitive_test.go | 20 ++++++++++---------- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/internal/lang/funcs/sensitive.go b/internal/lang/funcs/sensitive.go index 69fd703b90..4910e01fbd 100644 --- a/internal/lang/funcs/sensitive.go +++ b/internal/lang/funcs/sensitive.go @@ -70,8 +70,14 @@ var IssensitiveFunc = function.New(&function.Spec{ return cty.Bool, nil }, Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) { - s := args[0].HasMark(marks.Sensitive) - return cty.BoolVal(s), nil + switch v := args[0]; { + case v.HasMark(marks.Sensitive): + return cty.True, nil + case !v.IsKnown(): + return cty.UnknownVal(cty.Bool), nil + default: + return cty.False, nil + } }, }) diff --git a/internal/lang/funcs/sensitive_test.go b/internal/lang/funcs/sensitive_test.go index 865635e3d3..bd86252f8c 100644 --- a/internal/lang/funcs/sensitive_test.go +++ b/internal/lang/funcs/sensitive_test.go @@ -166,47 +166,47 @@ func TestNonsensitive(t *testing.T) { func TestIssensitive(t *testing.T) { tests := []struct { Input cty.Value - Sensitive bool + Sensitive cty.Value WantErr string }{ { cty.NumberIntVal(1).Mark(marks.Sensitive), - true, + cty.True, ``, }, { cty.NumberIntVal(1), - false, + cty.False, ``, }, { cty.DynamicVal.Mark(marks.Sensitive), - true, + cty.True, ``, }, { cty.UnknownVal(cty.String).Mark(marks.Sensitive), - true, + cty.True, ``, }, { cty.NullVal(cty.EmptyObject).Mark(marks.Sensitive), - true, + cty.True, ``, }, { cty.NullVal(cty.String), - false, + cty.False, ``, }, { cty.DynamicVal, - false, + cty.UnknownVal(cty.Bool), ``, }, { cty.UnknownVal(cty.String), - false, + cty.UnknownVal(cty.Bool), ``, }, } @@ -227,7 +227,7 @@ func TestIssensitive(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if (got.True() && !test.Sensitive) || (got.False() && test.Sensitive) { + if !got.RawEquals(test.Sensitive) { t.Errorf("wrong result \ngot: %#v\nwant: %#v", got, test.Sensitive) } })