write-only attributes: internal providers should set write-only attributes to null (#36824)

* write-only attributes: internal providers should set write-only attributes to null

* add changelog

* fix copywrite headers

Author: liamcervante

.changes/v1.11/BUG FIXES-20250402-143931.yaml

@@ -0,0 +1,5 @@
+kind: BUG FIXES
+body: 'write-only attributes: internal providers should set write-only attributes to null'
+time: 2025-04-02T14:39:31.672249+02:00
+custom:
+    Issue: "36824"

internal/command/test_test.go

@@ -322,6 +322,18 @@ func TestTest_Runs(t *testing.T) {
 			expectedErr: []string{"Cannot apply non-applyable plan"},
 			code:        1,
 		},
+		"write-only-attributes": {
+			expectedOut: []string{"1 passed, 0 failed."},
+			code:        0,
+		},
+		"write-only-attributes-mocked": {
+			expectedOut: []string{"1 passed, 0 failed."},
+			code:        0,
+		},
+		"write-only-attributes-overridden": {
+			expectedOut: []string{"1 passed, 0 failed."},
+			code:        0,
+		},
 	}
 	for name, tc := range tcs {
 		t.Run(name, func(t *testing.T) {
@@ -1618,6 +1630,7 @@ Terraform will perform the following actions:
       + destroy_fail = (known after apply)
       + id           = "constant_value"
       + value        = "bar"
+      + write_only   = (write-only attribute)
     }
 
 Plan: 1 to add, 0 to change, 0 to destroy.
@@ -1629,6 +1642,7 @@ resource "test_resource" "foo" {
     destroy_fail = false
     id           = "constant_value"
     value        = "bar"
+    write_only   = (write-only attribute)
 }
 
 main.tftest.hcl... tearing down
@@ -1951,6 +1965,7 @@ resource "test_resource" "module_resource" {
     destroy_fail = false
     id           = "df6h8as9"
     value        = "start"
+    write_only   = (write-only attribute)
 }
 
   run "initial_apply"... pass
@@ -1960,6 +1975,7 @@ resource "test_resource" "resource" {
     destroy_fail = false
     id           = "598318e0"
     value        = "start"
+    write_only   = (write-only attribute)
 }
 
   run "plan_second_example"... pass
@@ -1975,6 +1991,7 @@ Terraform will perform the following actions:
       + destroy_fail = (known after apply)
       + id           = "b6a1d8cb"
       + value        = "start"
+      + write_only   = (write-only attribute)
     }
 
 Plan: 1 to add, 0 to change, 0 to destroy.
@@ -1991,7 +2008,7 @@ Terraform will perform the following actions:
   ~ resource "test_resource" "resource" {
         id           = "598318e0"
       ~ value        = "start" -> "update"
-        # (1 unchanged attribute hidden)
+        # (2 unchanged attributes hidden)
     }
 
 Plan: 0 to add, 1 to change, 0 to destroy.
@@ -2008,7 +2025,7 @@ Terraform will perform the following actions:
   ~ resource "test_resource" "module_resource" {
         id           = "df6h8as9"
       ~ value        = "start" -> "update"
-        # (1 unchanged attribute hidden)
+        # (2 unchanged attributes hidden)
     }
 
 Plan: 0 to add, 1 to change, 0 to destroy.
@@ -2021,8 +2038,8 @@ Success! 5 passed, 0 failed.
 
 	actual := output.All()
 
-	if !strings.Contains(actual, expected) {
-		t.Errorf("output didn't match expected:\nexpected:\n%s\nactual:\n%s", expected, actual)
+	if diff := cmp.Diff(expected, actual); diff != "" {
+		t.Errorf("output didn't match expected:\nexpected:\n%s\nactual:\n%s\ndiff:\n%s", expected, actual, diff)
 	}
 
 	if provider.ResourceCount() > 0 {
@@ -2831,6 +2848,7 @@ resource "test_resource" "resource" {
     destroy_fail = false
     id           = "9ddca5a9"
     value        = (sensitive value)
+    write_only   = (write-only attribute)
 }
 
 
@@ -2845,6 +2863,7 @@ resource "test_resource" "resource" {
     destroy_fail = false
     id           = "9ddca5a9"
     value        = (sensitive value)
+    write_only   = (write-only attribute)
 }
 
 

internal/command/testdata/test/write-only-attributes-mocked/main.tf

@@ -0,0 +1,14 @@
+
+variable "input" {
+  type = string
+}
+
+data "test_data_source" "datasource" {
+  id = "resource"
+  write_only = var.input
+}
+
+resource "test_resource" "resource" {
+  value = data.test_data_source.datasource.value
+  write_only = var.input
+}

internal/command/testdata/test/write-only-attributes-mocked/main.tftest.hcl

@@ -0,0 +1,36 @@
+
+mock_provider "test" {
+  mock_resource "test_resource" {
+    defaults = {
+      id = "resource"
+    }
+  }
+
+  mock_data "test_data_source" {
+    defaults = {
+      value = "hello"
+    }
+  }
+}
+
+run "test" {
+  variables {
+    input = "input"
+  }
+
+  assert {
+    condition = data.test_data_source.datasource.value == "hello"
+    error_message = "wrong value"
+  }
+
+  assert {
+    condition = test_resource.resource.value == "hello"
+    error_message = "wrong value"
+  }
+
+  assert {
+    condition = test_resource.resource.id == "resource"
+    error_message = "wrong value"
+  }
+
+}

internal/command/testdata/test/write-only-attributes-overridden/main.tf

@@ -0,0 +1,14 @@
+
+variable "input" {
+  type = string
+}
+
+data "test_data_source" "datasource" {
+  id = "resource"
+  write_only = var.input
+}
+
+resource "test_resource" "resource" {
+  value = data.test_data_source.datasource.value
+  write_only = var.input
+}

internal/command/testdata/test/write-only-attributes-overridden/main.tftest.hcl

@@ -0,0 +1,38 @@
+
+provider "test" {}
+
+override_resource {
+  target = test_resource.resource
+  values = {
+    id = "resource"
+  }
+}
+
+override_data {
+  target = data.test_data_source.datasource
+  values = {
+    value = "hello"
+  }
+}
+
+run "test" {
+  variables {
+    input = "input"
+  }
+
+  assert {
+    condition = data.test_data_source.datasource.value == "hello"
+    error_message = "wrong value"
+  }
+
+  assert {
+    condition = test_resource.resource.value == "hello"
+    error_message = "wrong value"
+  }
+
+  assert {
+    condition = test_resource.resource.id == "resource"
+    error_message = "wrong value"
+  }
+
+}

internal/command/testdata/test/write-only-attributes/main.tf

@@ -0,0 +1,9 @@
+
+variable "input" {
+  type = string
+}
+
+resource "test_resource" "resource" {
+  id = "resource"
+  write_only = var.input
+}

internal/command/testdata/test/write-only-attributes/main.tftest.hcl

@@ -0,0 +1,8 @@
+
+provider "test" {}
+
+run "test" {
+  variables {
+    input = "input"
+  }
+}

internal/command/testing/test_provider.go

@@ -39,6 +39,7 @@ var (
 						"destroy_fail":         {Type: cty.Bool, Optional: true, Computed: true},
 						"create_wait_seconds":  {Type: cty.Number, Optional: true},
 						"destroy_wait_seconds": {Type: cty.Number, Optional: true},
+						"write_only":           {Type: cty.String, Optional: true, WriteOnly: true},
 					},
 				},
 			},
@@ -47,8 +48,9 @@ var (
 			"test_data_source": {
 				Body: &configschema.Block{
 					Attributes: map[string]*configschema.Attribute{
-						"id":    {Type: cty.String, Required: true},
-						"value": {Type: cty.String, Computed: true},
+						"id":         {Type: cty.String, Required: true},
+						"value":      {Type: cty.String, Computed: true},
+						"write_only": {Type: cty.String, Optional: true, WriteOnly: true},
 
 						// We never actually reference these values from a data
 						// source, but we have tests that use the same cty.Value
@@ -233,12 +235,18 @@ func (provider *TestProvider) PlanResourceChange(request providers.PlanResourceC
 		resource = cty.ObjectVal(vals)
 	}
 
-	if destryFail := resource.GetAttr("destroy_fail"); !destryFail.IsKnown() || destryFail.IsNull() {
+	if destroyFail := resource.GetAttr("destroy_fail"); !destroyFail.IsKnown() || destroyFail.IsNull() {
 		vals := resource.AsValueMap()
 		vals["destroy_fail"] = cty.UnknownVal(cty.Bool)
 		resource = cty.ObjectVal(vals)
 	}
 
+	if writeOnly := resource.GetAttr("write_only"); !writeOnly.IsNull() {
+		vals := resource.AsValueMap()
+		vals["write_only"] = cty.NullVal(cty.String)
+		resource = cty.ObjectVal(vals)
+	}
+
 	return providers.PlanResourceChangeResponse{
 		PlannedState: resource,
 	}
@@ -335,6 +343,12 @@ func (provider *TestProvider) ReadDataSource(request providers.ReadDataSourceReq
 		diags = diags.Append(tfdiags.Sourceless(tfdiags.Error, "not found", fmt.Sprintf("%s does not exist", id)))
 	}
 
+	if writeOnly := resource.GetAttr("write_only"); !writeOnly.IsNull() {
+		vals := resource.AsValueMap()
+		vals["write_only"] = cty.NullVal(cty.String)
+		resource = cty.ObjectVal(vals)
+	}
+
 	return providers.ReadDataSourceResponse{
 		State:       resource,
 		Diagnostics: diags,

internal/lang/ephemeral/strip.go

@@ -0,0 +1,45 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package ephemeral
+
+import (
+	"github.com/zclconf/go-cty/cty"
+
+	"github.com/hashicorp/terraform/internal/configs/configschema"
+)
+
+// StripWriteOnlyAttributes converts all the write-only attributes in value to
+// null values.
+func StripWriteOnlyAttributes(value cty.Value, schema *configschema.Block) cty.Value {
+	// writeOnlyTransformer never returns errors, so we don't need to detect
+	// them here.
+	updated, _ := cty.TransformWithTransformer(value, &writeOnlyTransformer{
+		schema: schema,
+	})
+	return updated
+}
+
+var _ cty.Transformer = (*writeOnlyTransformer)(nil)
+
+type writeOnlyTransformer struct {
+	schema *configschema.Block
+}
+
+func (w *writeOnlyTransformer) Enter(path cty.Path, value cty.Value) (cty.Value, error) {
+	attr := w.schema.AttributeByPath(path)
+	if attr == nil {
+		return value, nil
+	}
+
+	if attr.WriteOnly {
+		value, marks := value.Unmark()
+		return cty.NullVal(value.Type()).WithMarks(marks), nil
+	}
+
+	return value, nil
+}
+
+func (w *writeOnlyTransformer) Exit(_ cty.Path, value cty.Value) (cty.Value, error) {
+	return value, nil // no changes
+}