Include sensitive metadata from the schema when building the json state output (#33059)

* include sensitive metadata from the schema when building the json state output * found another test case
2025-02-25 18:45:20 -06:00 · 2023-04-24 10:52:44 +02:00 · 2023-04-24 10:52:44 +02:00 · 14123e277c
commit 14123e277c
parent 519a18aedf
3 changed files with 64 additions and 10 deletions
--- a/internal/command/jsonstate/state.go
+++ b/internal/command/jsonstate/state.go
@ -398,7 +398,11 @@ func marshalResources(resources map[string]*states.Resource, module addrs.Module

 				current.AttributeValues = marshalAttributeValues(riObj.Value)

-				s := SensitiveAsBool(riObj.Value)
+				value, marks := riObj.Value.UnmarkDeepWithPaths()
+				if schema.ContainsSensitive() {
+					marks = append(marks, schema.ValueMarks(value, nil)...)
+				}
+				s := SensitiveAsBool(value.MarkWithPaths(marks))
 				v, err := ctyjson.Marshal(s, s.Type())
 				if err != nil {
 					return nil, err
@ -445,7 +449,11 @@ func marshalResources(resources map[string]*states.Resource, module addrs.Module

 				deposed.AttributeValues = marshalAttributeValues(riObj.Value)

-				s := SensitiveAsBool(riObj.Value)
+				value, marks := riObj.Value.UnmarkDeepWithPaths()
+				if schema.ContainsSensitive() {
+					marks = append(marks, schema.ValueMarks(value, nil)...)
+				}
+				s := SensitiveAsBool(value.MarkWithPaths(marks))
 				v, err := ctyjson.Marshal(s, s.Type())
 				if err != nil {
 					return nil, err
--- a/internal/command/jsonstate/state_test.go
+++ b/internal/command/jsonstate/state_test.go
@ -226,7 +226,49 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
+				},
+			},
+			false,
+		},
+		"single resource_with_sensitive": {
+			map[string]*states.Resource{
+				"test_thing.baz": {
+					Addr: addrs.AbsResource{
+						Resource: addrs.Resource{
+							Mode: addrs.ManagedResourceMode,
+							Type: "test_thing",
+							Name: "bar",
+						},
+					},
+					Instances: map[addrs.InstanceKey]*states.ResourceInstance{
+						addrs.NoKey: {
+							Current: &states.ResourceInstanceObjectSrc{
+								Status:    states.ObjectReady,
+								AttrsJSON: []byte(`{"woozles":"confuzles","foozles":"sensuzles"}`),
+							},
+						},
+					},
+					ProviderConfig: addrs.AbsProviderConfig{
+						Provider: addrs.NewDefaultProvider("test"),
+						Module:   addrs.RootModule,
+					},
+				},
+			},
+			testSchemas(),
+			[]Resource{
+				{
+					Address:      "test_thing.bar",
+					Mode:         "managed",
+					Type:         "test_thing",
+					Name:         "bar",
+					Index:        nil,
+					ProviderName: "registry.terraform.io/hashicorp/test",
+					AttributeValues: AttributeValues{
+						"foozles": json.RawMessage(`"sensuzles"`),
+						"woozles": json.RawMessage(`"confuzles"`),
+					},
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@ -343,7 +385,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@ -385,7 +427,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@ -430,7 +472,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@ -478,7 +520,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 				{
 					Address:      "test_thing.bar",
@ -492,7 +534,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
--- a/internal/command/testdata/show-json/conditions/output-refresh-only.json
+++ b/internal/command/testdata/show-json/conditions/output-refresh-only.json
@ -56,7 +56,9 @@
              "id": "placeheld",
              "password": null
            },
-            "sensitive_values": {}
+            "sensitive_values": {
+              "password": true
+            }
          },
          {
            "address": "test_instance.foo",
@ -70,7 +72,9 @@
              "id": "placeholder",
              "password": null
            },
-            "sensitive_values": {}
+            "sensitive_values": {
+              "password": true
+            }
          }
        ]
      }