chore: Add a functional test for nested sensitives in the framework (#3886)

Add a functional test proving that nested sensitive are properly
protected by the framework.

Author: sfc-gh-jmichalak

MIGRATION_GUIDE.md

@@ -393,7 +393,7 @@ Planning failed. Terraform encountered an error while generating this plan.
 
 Some fields, like secure function definitions, can also contain sensitive values. However, because of [SDK v2](https://developer.hashicorp.com/terraform/plugin/sdkv2) limitations:
 - There is no possibility to mark sensitive values conditionally ([reference](https://github.com/hashicorp/terraform-plugin-sdk/issues/736)). This means it is not possible to mark sensitive values based on other fields, like marking `body` based on the value of `secure` field in views, functions, and procedures. As a result, this field is not marked as sensitive. For such cases, we add disclaimers in the resource documentation.
-- There is no possibility to mark sensitive values in nested fields ([reference](https://github.com/hashicorp/terraform-plugin-sdk/issues/201)). This means the nested fields, like these in `show_output` and `describe_output` cannot be sensitive. fields, like in `show_output` and `describe_output`, cannot be marked as sensitive.
+- There is no possibility to mark sensitive values in nested fields ([reference](https://github.com/hashicorp/terraform-plugin-sdk/issues/201)). This means the nested fields, like these in `show_output` and `describe_output` cannot be marked as sensitive.
 
 Instead, we added notes in the documentation of the related resources. The full list includes:
 - `snowflake_execute` resource: `execute`, `revert`, `query` and `query_results` fields,

pkg/testfunctional/3_plugin_framework_functional_tests_provider_test.go

@@ -78,6 +78,7 @@ func (p *pluginFrameworkFunctionalTestsProvider) Resources(_ context.Context) []
 		testfunctional.NewParameterHandlingPrivateResource,
 		testfunctional.NewEnumHandlingResource,
 		testfunctional.NewOptionalComputedResource,
+		testfunctional.NewNestedSensitiveResource,
 	}
 }
 

pkg/testfunctional/test_resource_plugin_framework_nested_sensitive.go

@@ -0,0 +1,90 @@
+package testfunctional
+
+import (
+	"context"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+func NewNestedSensitiveResource() resource.Resource {
+	return &NestedSensitiveResource{}
+}
+
+type NestedSensitiveResource struct{}
+
+type nestedSensitiveResourceModelV0 struct {
+	Name   types.String `tfsdk:"name"`
+	Id     types.String `tfsdk:"id"`
+	Output types.List   `tfsdk:"output"`
+}
+
+func (r *NestedSensitiveResource) Metadata(_ context.Context, request resource.MetadataRequest, response *resource.MetadataResponse) {
+	response.TypeName = request.ProviderTypeName + "_nested_sensitive"
+}
+
+func (r *NestedSensitiveResource) Schema(_ context.Context, _ resource.SchemaRequest, response *resource.SchemaResponse) {
+	response.Schema = schema.Schema{
+		Version: 0,
+		Attributes: map[string]schema.Attribute{
+			"name": schema.StringAttribute{
+				Description: "Name for this example resource.",
+				Required:    true,
+			},
+			"id": schema.StringAttribute{
+				Computed:    true,
+				Description: "Identifier for this example resource.",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"output": schema.ListNestedAttribute{
+				NestedObject: schema.NestedAttributeObject{
+					Attributes: map[string]schema.Attribute{
+						"string_sensitive": schema.StringAttribute{
+							Computed:  true,
+							Sensitive: true,
+						},
+					},
+				},
+				Computed: true,
+			},
+		},
+	}
+}
+
+func (r *NestedSensitiveResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
+	var data *nestedSensitiveResourceModelV0
+	response.Diagnostics.Append(request.Plan.Get(ctx, &data)...)
+
+	name := data.Name.ValueString()
+	id := sdk.NewAccountObjectIdentifier(name)
+	data.Id = types.StringValue(id.FullyQualifiedName())
+	var diags diag.Diagnostics
+	data.Output, diags = types.ListValueFrom(ctx, types.ObjectType{AttrTypes: map[string]attr.Type{"string_sensitive": types.StringType}}, []attr.Value{
+		types.ObjectValueMust(map[string]attr.Type{"string_sensitive": types.StringType}, map[string]attr.Value{
+			"string_sensitive": types.StringValue("SECRET"),
+		}),
+	})
+	response.Diagnostics.Append(diags...)
+
+	if response.Diagnostics.HasError() {
+		return
+	}
+	response.Diagnostics.Append(response.State.Set(ctx, &data)...)
+}
+
+func (r *NestedSensitiveResource) Read(_ context.Context, _ resource.ReadRequest, _ *resource.ReadResponse) {
+}
+
+func (r *NestedSensitiveResource) Update(_ context.Context, _ resource.UpdateRequest, _ *resource.UpdateResponse) {
+}
+
+func (r *NestedSensitiveResource) Delete(_ context.Context, _ resource.DeleteRequest, _ *resource.DeleteResponse) {
+}

pkg/testfunctional/test_resource_plugin_framework_nested_sensitive_acceptance_test.go

@@ -0,0 +1,95 @@
+package testfunctional_test
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
+)
+
+// This test proves that in the framework, sensitive attributes are not exposed by default in the output.
+// They can be accessed in the output block, but it must be properly marked.
+func TestAcc_TerraformPluginFrameworkFunctional_NestedSensitive(t *testing.T) {
+	id := sdk.NewAccountObjectIdentifier("abc")
+	resourceType := fmt.Sprintf("%s_nested_sensitive", PluginFrameworkFunctionalTestsProviderName)
+	resourceReference := fmt.Sprintf("%s.test", resourceType)
+
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: providerForPluginFrameworkFunctionalTestsFactories,
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.RequireAbove(tfversion.Version1_5_0),
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: nestedSensitiveConfig(id, resourceType),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceReference, "id", id.FullyQualifiedName()),
+					resource.TestCheckResourceAttr(resourceReference, "output.0.string_sensitive", "SECRET"),
+				),
+				ExpectError: regexp.MustCompile("Output refers to sensitive values"),
+			},
+			{
+				Config: nestedSensitiveConfigWholeOutput(id, resourceType),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceReference, "id", id.FullyQualifiedName()),
+					resource.TestCheckResourceAttr(resourceReference, "output.0.string_sensitive", "SECRET"),
+				),
+				ExpectError: regexp.MustCompile("Output refers to sensitive values"),
+			},
+			{
+				Config: nestedSensitiveConfigMarked(id, resourceType),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectSensitiveValue(resourceReference, tfjsonpath.New("output").AtSliceIndex(0).AtMapKey("string_sensitive")),
+						plancheck.ExpectKnownOutputValue("nested_sensitive", knownvalue.StringExact("SECRET")),
+					},
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceReference, "id", id.FullyQualifiedName()),
+					resource.TestCheckResourceAttr(resourceReference, "output.0.string_sensitive", "SECRET"),
+				),
+			},
+		},
+	})
+}
+
+func nestedSensitiveConfig(id sdk.AccountObjectIdentifier, resourceType string) string {
+	return nestedSensitiveResourceConfig(id, resourceType) + fmt.Sprintf(`
+output "nested_sensitive" {
+  value = resource.%s.test.output[0].string_sensitive
+}
+`, resourceType)
+}
+
+func nestedSensitiveConfigWholeOutput(id sdk.AccountObjectIdentifier, resourceType string) string {
+	return nestedSensitiveResourceConfig(id, resourceType) + fmt.Sprintf(`
+output "nested_sensitive" {
+  value = resource.%s.test.output[0]
+}
+`, resourceType)
+}
+
+func nestedSensitiveConfigMarked(id sdk.AccountObjectIdentifier, resourceType string) string {
+	return nestedSensitiveResourceConfig(id, resourceType) + fmt.Sprintf(`
+output "nested_sensitive" {
+  value = resource.%s.test.output[0].string_sensitive
+  sensitive = true
+}
+`, resourceType)
+}
+
+func nestedSensitiveResourceConfig(id sdk.AccountObjectIdentifier, resourceType string) string {
+	return fmt.Sprintf(`
+resource "%[2]s" "test" {
+  provider = "%[3]s"
+
+  name = "%[1]s"
+}
+`, id.Name(), resourceType, PluginFrameworkFunctionalTestsProviderName)
+}