ephemeral: add support for write-only attributes

Author: DanielMSchmidt

internal/plans/changes.go

@@ -582,6 +582,10 @@ type Change struct {
 	// collections/structures.
 	Before, After cty.Value
 
+	// BeforeWriteOnlyPaths and AfterWriteOnlyPaths are paths for any values
+	// in Before or After (respectively) that are considered to be write-only.
+	BeforeWriteOnlyPaths, AfterWriteOnlyPaths []cty.Path
+
 	// Importing is present if the resource is being imported as part of this
 	// change.
 	//
@@ -645,8 +649,8 @@ func (c *Change) Encode(ty cty.Type) (*ChangeSrc, error) {
 		After:                afterDV,
 		BeforeSensitivePaths: sensitiveAttrsBefore,
 		AfterSensitivePaths:  sensitiveAttrsAfter,
-		BeforeWriteOnlyPaths: nil, // TODO: Add write-only paths
-		AfterWriteOnlyPaths:  nil, // TODO: Add write-only paths
+		BeforeWriteOnlyPaths: c.BeforeWriteOnlyPaths,
+		AfterWriteOnlyPaths:  c.AfterWriteOnlyPaths,
 		Importing:            c.Importing.Encode(),
 		GeneratedConfig:      c.GeneratedConfig,
 	}, nil

internal/plans/changes_src.go

@@ -130,6 +130,12 @@ func (c *ChangesSrc) Decode(schemas *schemarepo.Schemas) (*Changes, error) {
 		rc.Before = marks.MarkPaths(rc.Before, marks.Sensitive, rcs.BeforeSensitivePaths)
 		rc.After = marks.MarkPaths(rc.After, marks.Sensitive, rcs.AfterSensitivePaths)
 
+		rc.Before = marks.MarkPaths(rc.Before, marks.Ephemeral, rcs.BeforeWriteOnlyPaths)
+		rc.After = marks.MarkPaths(rc.After, marks.Ephemeral, rcs.BeforeWriteOnlyPaths)
+
+		rc.BeforeWriteOnlyPaths = rcs.BeforeWriteOnlyPaths
+		rc.AfterWriteOnlyPaths = rcs.AfterWriteOnlyPaths
+
 		changes.Resources = append(changes.Resources, rc)
 	}
 

internal/states/instance_object.go

@@ -50,6 +50,10 @@ type ResourceInstanceObject struct {
 	// destroy operations, we need to record the status to ensure a resource
 	// removed from the config will still be destroyed in the same manner.
 	CreateBeforeDestroy bool
+
+	// AttrWriteOnlyPaths is an array of paths to mark as ephemeral coming out of
+	// state, or to save as write_only paths when saving state
+	AttrWriteOnlyPaths []cty.Path
 }
 
 // ObjectStatus represents the status of a RemoteObject.
@@ -135,6 +139,7 @@ func (o *ResourceInstanceObject) Encode(ty cty.Type, schemaVersion uint64) (*Res
 		SchemaVersion:       schemaVersion,
 		AttrsJSON:           src,
 		AttrSensitivePaths:  sensitivePaths,
+		AttrWriteOnlyPaths:  o.AttrWriteOnlyPaths,
 		Private:             o.Private,
 		Status:              o.Status,
 		Dependencies:        dependencies,

internal/states/instance_object_src.go

@@ -100,6 +100,7 @@ func (os *ResourceInstanceObjectSrc) Decode(ty cty.Type) (*ResourceInstanceObjec
 	default:
 		val, err = ctyjson.Unmarshal(os.AttrsJSON, ty)
 		val = marks.MarkPaths(val, marks.Sensitive, os.AttrSensitivePaths)
+		val = marks.MarkPaths(val, marks.Ephemeral, os.AttrWriteOnlyPaths)
 		if err != nil {
 			return nil, err
 		}
@@ -111,6 +112,7 @@ func (os *ResourceInstanceObjectSrc) Decode(ty cty.Type) (*ResourceInstanceObjec
 		Dependencies:        os.Dependencies,
 		Private:             os.Private,
 		CreateBeforeDestroy: os.CreateBeforeDestroy,
+		AttrWriteOnlyPaths:  os.AttrWriteOnlyPaths,
 	}, nil
 }
 

internal/states/remote/state_test.go

@@ -129,8 +129,9 @@ func TestStatePersist(t *testing.T) {
 										"attributes_flat": map[string]interface{}{
 											"filename": "file.txt",
 										},
-										"schema_version":       0.0,
-										"sensitive_attributes": []interface{}{},
+										"schema_version":        0.0,
+										"sensitive_attributes":  []interface{}{},
+										"write_only_attributes": []interface{}{},
 									},
 								},
 								"mode":     "managed",
@@ -167,8 +168,9 @@ func TestStatePersist(t *testing.T) {
 										"attributes_flat": map[string]interface{}{
 											"filename": "file.txt",
 										},
-										"schema_version":       0.0,
-										"sensitive_attributes": []interface{}{},
+										"schema_version":        0.0,
+										"sensitive_attributes":  []interface{}{},
+										"write_only_attributes": []interface{}{},
 									},
 								},
 								"mode":     "managed",

internal/states/statefile/version4.go

@@ -492,6 +492,8 @@ func appendInstanceObjectStateV4(rs *states.Resource, is *states.ResourceInstanc
 	// Marshal paths to JSON
 	attributeSensitivePaths, pathsDiags := marshalPaths(obj.AttrSensitivePaths)
 	diags = diags.Append(pathsDiags)
+	attributeWriteOnlyPaths, pathsDiags := marshalPaths(obj.AttrWriteOnlyPaths)
+	diags = diags.Append(pathsDiags)
 
 	return append(isV4s, instanceObjectStateV4{
 		IndexKey:                rawKey,
@@ -501,6 +503,7 @@ func appendInstanceObjectStateV4(rs *states.Resource, is *states.ResourceInstanc
 		AttributesFlat:          obj.AttrsFlat,
 		AttributesRaw:           obj.AttrsJSON,
 		AttributeSensitivePaths: attributeSensitivePaths,
+		AttributeWriteOnlyPaths: attributeWriteOnlyPaths,
 		PrivateRaw:              privateRaw,
 		Dependencies:            deps,
 		CreateBeforeDestroy:     obj.CreateBeforeDestroy,