issensitive must return unknown for unknown args without sensitive#36012
issensitive must return unknown for unknown args without sensitive#36012
issensitive must return unknown for unknown args without sensitive#36012Conversation
Terraform attempts to track marks as accurately as possible, but unknown values may not always have the same marks as they will when they become known. This is most easily seen with functions, which are allowed to return an unknown value when faced with any unknown arguments, while they are also allowed to manipulate the marks on the values as they see fit. This results in situations where the marks simply cannot be known. Terraform generally takes the stance that if an unknown has a mark, it will remain in the final value, but the absence of a mark is not indicative of the absence of any marks in the final value.
| case v.HasMark(marks.Sensitive): | ||
| return cty.True, nil | ||
| case !v.IsKnown(): | ||
| return cty.UnknownVal(cty.Bool), nil |
There was a problem hiding this comment.
It can't lose marks going from unknown to known? Do we want to switch these case statements around?
There was a problem hiding this comment.
Whoops, I didn't read the PR description 😅
| case v.HasMark(marks.Sensitive): | ||
| return cty.True, nil | ||
| case !v.IsKnown(): | ||
| return cty.UnknownVal(cty.Bool), nil |
There was a problem hiding this comment.
Whoops, I didn't read the PR description 😅
jbardin
added
the
1.10-backport
|
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
2 participants
Terraform attempts to track marks as accurately as possible, but unknown values may not always have the same marks as they will when they become known. This is most easily seen with functions, which are allowed to return an unknown value when faced with any unknown arguments, while they are also allowed to manipulate the marks on the values as they see fit. This results in situations where the marks simply cannot be known.
Terraform generally takes the stance that if an unknown has a mark, it will remain in the final value, but the absence of a mark is not indicative of the absence of any marks in the final value. That appears to be something we can continue to maintain throughout the codebase, so given that axiom I'm going to codify it here by only changing the
issensitiveresults for unknown, unmarked values, but allowing unknown+sensitive values to returntrue.