/
expect_sensitive_value.go
61 lines (48 loc) · 1.71 KB
/
expect_sensitive_value.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package plancheck
import (
"context"
"fmt"
"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
)
var _ PlanCheck = expectSensitiveValue{}
type expectSensitiveValue struct {
resourceAddress string
attributePath tfjsonpath.Path
}
// CheckPlan implements the plan check logic.
func (e expectSensitiveValue) CheckPlan(ctx context.Context, req CheckPlanRequest, resp *CheckPlanResponse) {
for _, rc := range req.Plan.ResourceChanges {
if e.resourceAddress != rc.Address {
continue
}
result, err := tfjsonpath.Traverse(rc.Change.AfterSensitive, e.attributePath)
if err != nil {
resp.Error = err
return
}
isSensitive, ok := result.(bool)
if !ok {
resp.Error = fmt.Errorf("invalid path: the path value cannot be asserted as bool")
return
}
if !isSensitive {
resp.Error = fmt.Errorf("attribute at path is not sensitive")
return
}
return
}
resp.Error = fmt.Errorf("%s - Resource not found in plan ResourceChanges", e.resourceAddress)
}
// ExpectSensitiveValue returns a plan check that asserts that the specified attribute at the given resource has a sensitive value.
//
// Due to implementation differences between the terraform-plugin-sdk and the terraform-plugin-framework, representation of sensitive
// values may differ. For example, terraform-plugin-sdk based providers may have less precise representations of sensitive values, such
// as marking whole maps as sensitive rather than individual element values.
func ExpectSensitiveValue(resourceAddress string, attributePath tfjsonpath.Path) PlanCheck {
return expectSensitiveValue{
resourceAddress: resourceAddress,
attributePath: attributePath,
}
}