Merge pull request #36523 from hashicorp/backport/jbardin/write-only-validation/strongly-legal-snake

Backport of `WriteOnly` validation on deeply nested ephemeral values into v1.11

Author: jbardin

internal/configs/configschema/coerce_value.go

@@ -110,13 +110,15 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 					continue
 				}
 
+				coll, marks := coll.Unmark()
+
 				if !coll.CanIterateElements() {
 					return cty.UnknownVal(impliedType), path.NewErrorf("must be a list")
 				}
 				l := coll.LengthInt()
 
 				if l == 0 {
-					attrs[typeName] = cty.ListValEmpty(blockS.ImpliedType())
+					attrs[typeName] = cty.ListValEmpty(blockS.ImpliedType()).WithMarks(marks)
 					continue
 				}
 				elems := make([]cty.Value, 0, l)
@@ -132,7 +134,7 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 						elems = append(elems, val)
 					}
 				}
-				attrs[typeName] = cty.ListVal(elems)
+				attrs[typeName] = cty.ListVal(elems).WithMarks(marks)
 			default:
 				attrs[typeName] = cty.ListValEmpty(blockS.ImpliedType())
 			}
@@ -150,14 +152,15 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 					attrs[typeName] = cty.UnknownVal(cty.Set(blockS.ImpliedType()))
 					continue
 				}
+				coll, marks := coll.Unmark()
 
 				if !coll.CanIterateElements() {
-					return cty.UnknownVal(impliedType), path.NewErrorf("must be a set")
+					return cty.UnknownVal(impliedType), path.NewErrorf("cannot iterate over %#v", coll)
 				}
 				l := coll.LengthInt()
 
 				if l == 0 {
-					attrs[typeName] = cty.SetValEmpty(blockS.ImpliedType())
+					attrs[typeName] = cty.SetValEmpty(blockS.ImpliedType()).WithMarks(marks)
 					continue
 				}
 				elems := make([]cty.Value, 0, l)
@@ -173,7 +176,7 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 						elems = append(elems, val)
 					}
 				}
-				attrs[typeName] = cty.SetVal(elems)
+				attrs[typeName] = cty.SetVal(elems).WithMarks(marks)
 			default:
 				attrs[typeName] = cty.SetValEmpty(blockS.ImpliedType())
 			}
@@ -191,13 +194,14 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 					attrs[typeName] = cty.UnknownVal(cty.Map(blockS.ImpliedType()))
 					continue
 				}
+				coll, marks := coll.Unmark()
 
 				if !coll.CanIterateElements() {
 					return cty.UnknownVal(impliedType), path.NewErrorf("must be a map")
 				}
 				l := coll.LengthInt()
 				if l == 0 {
-					attrs[typeName] = cty.MapValEmpty(blockS.ImpliedType())
+					attrs[typeName] = cty.MapValEmpty(blockS.ImpliedType()).WithMarks(marks)
 					continue
 				}
 				elems := make(map[string]cty.Value)
@@ -220,24 +224,14 @@ func (b *Block) coerceValue(in cty.Value, path cty.Path) (cty.Value, error) {
 				// If the attribute values here contain any DynamicPseudoTypes,
 				// the concrete type must be an object.
 				useObject := false
-				switch {
-				case coll.Type().IsObjectType():
+				if coll.Type().IsObjectType() || blockS.ImpliedType().HasDynamicTypes() {
 					useObject = true
-				default:
-					// It's possible that we were given a map, and need to coerce it to an object
-					ety := coll.Type().ElementType()
-					for _, v := range elems {
-						if !v.Type().Equals(ety) {
-							useObject = true
-							break
-						}
-					}
 				}
 
 				if useObject {
-					attrs[typeName] = cty.ObjectVal(elems)
+					attrs[typeName] = cty.ObjectVal(elems).WithMarks(marks)
 				} else {
-					attrs[typeName] = cty.MapVal(elems)
+					attrs[typeName] = cty.MapVal(elems).WithMarks(marks)
 				}
 			default:
 				attrs[typeName] = cty.MapValEmpty(blockS.ImpliedType())

internal/configs/configschema/internal_validate.go

@@ -77,6 +77,12 @@ func (b *Block) internalValidate(prefix string) error {
 					// properly hash them, and so can't support mixed types.
 					multiErr = errors.Join(multiErr, fmt.Errorf("%s%s: NestingSet blocks may not contain attributes of cty.DynamicPseudoType", prefix, name))
 				}
+				if blockS.Block.ContainsWriteOnly() {
+					// This is not permitted because any marks within sets will
+					// be hoisted up the outer set value, so only the set itself
+					// can be WriteOnly.
+					multiErr = errors.Join(multiErr, fmt.Errorf("%s%s: NestingSet blocks may not contain WriteOnly attributes", prefix, name))
+				}
 			}
 		case NestingMap:
 			if blockS.MinItems != 0 || blockS.MaxItems != 0 {
@@ -142,7 +148,13 @@ func (a *Attribute) internalValidate(name, prefix string) error {
 					// This is not permitted because the HCL (cty) set implementation
 					// needs to know the exact type of set elements in order to
 					// properly hash them, and so can't support mixed types.
-					err = errors.Join(err, fmt.Errorf("%s%s: NestingSet blocks may not contain attributes of cty.DynamicPseudoType", prefix, name))
+					err = errors.Join(err, fmt.Errorf("%s%s: NestingSet attributes may not contain attributes of cty.DynamicPseudoType", prefix, name))
+				}
+				if a.NestedType.ContainsWriteOnly() {
+					// This is not permitted because any marks within sets will
+					// be hoisted up the outer set value, so only the set itself
+					// can be WriteOnly.
+					err = errors.Join(err, fmt.Errorf("%s%s: NestingSet attributes may not contain WriteOnly attributes", prefix, name))
 				}
 			}
 		default:

internal/configs/configschema/internal_validate_test.go

@@ -265,6 +265,45 @@ func TestBlockInternalValidate(t *testing.T) {
 			},
 			[]string{"bad: block schema is nil"},
 		},
+		"nested set block with write-only attribute": {
+			&Block{
+				BlockTypes: map[string]*NestedBlock{
+					"bad": {
+						Nesting: NestingSet,
+						Block: Block{
+							Attributes: map[string]*Attribute{
+								"wo": {
+									Type:      cty.String,
+									Optional:  true,
+									WriteOnly: true,
+								},
+							},
+						},
+					},
+				},
+			},
+			[]string{"bad: NestingSet blocks may not contain WriteOnly attributes"},
+		},
+		"nested set attributes with write-only attribute": {
+			&Block{
+				Attributes: map[string]*Attribute{
+					"bad": {
+						NestedType: &Object{
+							Attributes: map[string]*Attribute{
+								"wo": {
+									Type:      cty.String,
+									Optional:  true,
+									WriteOnly: true,
+								},
+							},
+							Nesting: NestingSet,
+						},
+						Optional: true,
+					},
+				},
+			},
+			[]string{"bad: NestingSet attributes may not contain WriteOnly attributes"},
+		},
 	}
 
 	for name, test := range tests {

internal/configs/configschema/path_test.go

@@ -32,6 +32,24 @@ func TestAttributeByPath(t *testing.T) {
 					},
 				},
 			},
+			"a4": {
+				Description: "a3",
+				NestedType: &Object{
+					Nesting: NestingMap,
+					Attributes: map[string]*Attribute{
+						"nt1": {Description: "nt1"},
+						"nt2": {
+							Description: "nt2",
+							NestedType: &Object{
+								Nesting: NestingSingle,
+								Attributes: map[string]*Attribute{
+									"deeply_nested": {Description: "deeply_nested"},
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 		BlockTypes: map[string]*NestedBlock{
 			"b1": {
@@ -97,6 +115,11 @@ func TestAttributeByPath(t *testing.T) {
 			"missing",
 			false,
 		},
+		{
+			cty.GetAttrPath("a3").IndexInt(1).GetAttr("nt2").GetAttr("deeply_nested"),
+			"deeply_nested",
+			true,
+		},
 		{
 			cty.GetAttrPath("b1"),
 			"block",
@@ -133,6 +156,11 @@ func TestAttributeByPath(t *testing.T) {
 			"a9",
 			true,
 		},
+		{
+			cty.GetAttrPath("a4").IndexString("test").GetAttr("nt2").GetAttr("deeply_nested"),
+			"deeply_nested",
+			true,
+		},
 	} {
 		t.Run(tc.attrDescription, func(t *testing.T) {
 			attr := schema.AttributeByPath(tc.path)

internal/terraform/node_resource_validate.go

@@ -752,14 +752,23 @@ func validateDependsOn(ctx EvalContext, dependsOn []hcl.Traversal) (diags tfdiag
 func validateResourceForbiddenEphemeralValues(ctx EvalContext, value cty.Value, schema *configschema.Block) (diags tfdiags.Diagnostics) {
 	for _, path := range ephemeral.EphemeralValuePaths(value) {
 		attr := schema.AttributeByPath(path)
+
+		// If this attribute doesn't exist (usually through a dynamic type) or
+		// itself isn't write-only, it may be nested within a more complex type
+		// which is write-only. We need to walk upwards through the path
+		// segments and see of something wrapping this path is write-only.
+		for (attr == nil || !attr.WriteOnly) && len(path) > 1 {
+			path = path[:len(path)-1]
+			attr = schema.AttributeByPath((path))
+		}
+
 		// We know the config decoded, so the "attribute" exists in the
 		// schema somehow. If the ephemeral mark ended up being hoisted into
 		// a container however, especially if that container is a block,
 		// it's not actually an assignable attribute so we need to make a
 		// generic sounding error with a little more context because the
 		// AttributeValue diagnostic won't point to anything except the
 		// resource block.
-		//
 		if attr == nil {
 			diags = diags.Append(tfdiags.AttributeValue(
 				tfdiags.Error,