Add write-only value nullification to ReadResource, ImportResourceState, UpgradeResourceState, and MoveResourceState RPCs

Author: SBGoods

internal/fwserver/server_createresource.go

@@ -163,7 +163,7 @@ func (s *Server) CreateResource(ctx context.Context, req *CreateResourceRequest,
 	}
 
 	// Set any write-only attributes in the state to null
-	modifiedState, err := tftypes.Transform(resp.NewState.Raw, NullifyWriteOnlyAttributes(ctx, req.ResourceSchema))
+	modifiedState, err := tftypes.Transform(resp.NewState.Raw, NullifyWriteOnlyAttributes(ctx, resp.NewState.Schema))
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error Modifying State",

internal/fwserver/server_importresourcestate.go

@@ -142,6 +142,18 @@ func (s *Server) ImportResourceState(ctx context.Context, req *ImportResourceSta
 		return
 	}
 
+	// Set any write-only attributes in the import state to null
+	modifiedState, err := tftypes.Transform(importResp.State.Raw, NullifyWriteOnlyAttributes(ctx, importResp.State.Schema))
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Modifying Import State",
+			"There was an unexpected error modifying the Import State. This is always a problem with the provider. Please report the following to the provider developer:\n\n"+err.Error(),
+		)
+		return
+	}
+
+	importResp.State.Raw = modifiedState
+
 	if importResp.State.Raw.Equal(req.EmptyState.Raw) {
 		resp.Diagnostics.AddError(
 			"Missing Resource Import State",

internal/fwserver/server_importresourcestate_test.go

@@ -33,12 +33,26 @@ func TestServerImportResourceState(t *testing.T) {
 		},
 	}
 
+	testTypeWriteOnly := tftypes.Object{
+		AttributeTypes: map[string]tftypes.Type{
+			"id":         tftypes.String,
+			"write-only": tftypes.String,
+			"required":   tftypes.String,
+		},
+	}
+
 	testEmptyStateValue := tftypes.NewValue(testType, map[string]tftypes.Value{
 		"id":       tftypes.NewValue(tftypes.String, nil),
 		"optional": tftypes.NewValue(tftypes.String, nil),
 		"required": tftypes.NewValue(tftypes.String, nil),
 	})
 
+	testEmptyStateValueWriteOnly := tftypes.NewValue(testTypeWriteOnly, map[string]tftypes.Value{
+		"id":         tftypes.NewValue(tftypes.String, nil),
+		"write-only": tftypes.NewValue(tftypes.String, nil),
+		"required":   tftypes.NewValue(tftypes.String, nil),
+	})
+
 	testUnknownStateValue := tftypes.NewValue(testType, tftypes.UnknownValue)
 
 	testStateValue := tftypes.NewValue(testType, map[string]tftypes.Value{
@@ -61,11 +75,31 @@ func TestServerImportResourceState(t *testing.T) {
 		},
 	}
 
+	testSchemaWriteOnly := schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed: true,
+			},
+			"write-only": schema.StringAttribute{
+				Optional:  true,
+				WriteOnly: true,
+			},
+			"required": schema.StringAttribute{
+				Required: true,
+			},
+		},
+	}
+
 	testEmptyState := &tfsdk.State{
 		Raw:    testEmptyStateValue,
 		Schema: testSchema,
 	}
 
+	testEmptyStateWriteOnly := &tfsdk.State{
+		Raw:    testEmptyStateValueWriteOnly,
+		Schema: testSchemaWriteOnly,
+	}
+
 	testUnknownState := &tfsdk.State{
 		Raw:    testUnknownStateValue,
 		Schema: testSchema,
@@ -416,6 +450,39 @@ func TestServerImportResourceState(t *testing.T) {
 				},
 			},
 		},
+		"response-importedresources-write-only-nullification": {
+			server: &fwserver.Server{
+				Provider: &testprovider.Provider{},
+			},
+			request: &fwserver.ImportResourceStateRequest{
+				EmptyState: *testEmptyStateWriteOnly,
+				ID:         "test-id",
+				Resource: &testprovider.ResourceWithImportState{
+					Resource: &testprovider.Resource{},
+					ImportStateMethod: func(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+						resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("write-only"), "write-only-val")...)
+						resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+					},
+				},
+				TypeName: "test_resource",
+			},
+			expectedResponse: &fwserver.ImportResourceStateResponse{
+				ImportedResources: []fwserver.ImportedResource{
+					{
+						State: tfsdk.State{
+							Raw: tftypes.NewValue(testTypeWriteOnly, map[string]tftypes.Value{
+								"id":         tftypes.NewValue(tftypes.String, "test-id"),
+								"write-only": tftypes.NewValue(tftypes.String, nil),
+								"required":   tftypes.NewValue(tftypes.String, nil),
+							}),
+							Schema: testSchemaWriteOnly,
+						},
+						TypeName: "test_resource",
+						Private:  testEmptyPrivate,
+					},
+				},
+			},
+		},
 	}
 
 	for name, testCase := range testCases {

internal/fwserver/server_moveresourcestate.go

@@ -205,6 +205,18 @@ func (s *Server) MoveResourceState(ctx context.Context, req *MoveResourceStateRe
 			return
 		}
 
+		// Set any write-only attributes in the move resource state to null
+		modifiedState, err := tftypes.Transform(moveStateResp.TargetState.Raw, NullifyWriteOnlyAttributes(ctx, moveStateResp.TargetState.Schema))
+		if err != nil {
+			resp.Diagnostics.AddError(
+				"Error Modifying Move Resource State",
+				"There was an unexpected error modifying the Move Resource State. This is always a problem with the provider. Please report the following to the provider developer:\n\n"+err.Error(),
+			)
+			return
+		}
+
+		moveStateResp.TargetState.Raw = modifiedState
+
 		// If the implement has set the state in any way, return the response.
 		if !moveStateResp.TargetState.Raw.Equal(tftypes.NewValue(req.TargetResourceSchema.Type().TerraformType(ctx), nil)) {
 			resp.Diagnostics = moveStateResp.Diagnostics

internal/fwserver/server_moveresourcestate_test.go

@@ -9,6 +9,8 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-go/tftypes"
+
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/internal/fwserver"
 	"github.com/hashicorp/terraform-plugin-framework/internal/privatestate"
@@ -18,7 +20,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/tfsdk"
 	"github.com/hashicorp/terraform-plugin-framework/types"
-	"github.com/hashicorp/terraform-plugin-go/tftypes"
 )
 
 func TestServerMoveResourceState(t *testing.T) {
@@ -40,6 +41,22 @@ func TestServerMoveResourceState(t *testing.T) {
 	}
 	schemaType := testSchema.Type().TerraformType(ctx)
 
+	testSchemaWriteOnly := schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed: true,
+			},
+			"write_only_attribute": schema.StringAttribute{
+				Optional:  true,
+				WriteOnly: true,
+			},
+			"required_attribute": schema.StringAttribute{
+				Required: true,
+			},
+		},
+	}
+	schemaTypeWriteOnly := testSchemaWriteOnly.Type().TerraformType(ctx)
+
 	testCases := map[string]struct {
 		server           *fwserver.Server
 		request          *fwserver.MoveResourceStateRequest
@@ -757,6 +774,44 @@ func TestServerMoveResourceState(t *testing.T) {
 				},
 			},
 		},
+		"response-TargetState-write-only-nullification": {
+			server: &fwserver.Server{
+				Provider: &testprovider.Provider{},
+			},
+			request: &fwserver.MoveResourceStateRequest{
+				SourceRawState: testNewRawState(t, map[string]interface{}{
+					"id":                   "test-id-value",
+					"write_only_attribute": nil,
+					"required_attribute":   true,
+				}),
+				TargetResource: &testprovider.ResourceWithMoveState{
+					MoveStateMethod: func(ctx context.Context) []resource.StateMover {
+						return []resource.StateMover{
+							{
+								StateMover: func(_ context.Context, req resource.MoveStateRequest, resp *resource.MoveStateResponse) {
+									resp.Diagnostics.Append(resp.TargetState.SetAttribute(ctx, path.Root("id"), "test-id-value")...)
+									resp.Diagnostics.Append(resp.TargetState.SetAttribute(ctx, path.Root("write_only_attribute"), "movestate-val")...)
+									resp.Diagnostics.Append(resp.TargetState.SetAttribute(ctx, path.Root("required_attribute"), "true")...)
+								},
+							},
+						}
+					},
+				},
+				TargetResourceSchema: testSchemaWriteOnly,
+				TargetTypeName:       "test_resource",
+			},
+			expectedResponse: &fwserver.MoveResourceStateResponse{
+				TargetPrivate: privatestate.EmptyData(ctx),
+				TargetState: &tfsdk.State{
+					Raw: tftypes.NewValue(schemaTypeWriteOnly, map[string]tftypes.Value{
+						"id":                   tftypes.NewValue(tftypes.String, "test-id-value"),
+						"write_only_attribute": tftypes.NewValue(tftypes.String, nil),
+						"required_attribute":   tftypes.NewValue(tftypes.String, "true"),
+					}),
+					Schema: testSchemaWriteOnly,
+				},
+			},
+		},
 	}
 
 	for name, testCase := range testCases {

internal/fwserver/server_planresourcechange.go

@@ -341,7 +341,7 @@ func (s *Server) PlanResourceChange(ctx context.Context, req *PlanResourceChange
 	}
 
 	// Set any write-only attributes in the plan to null
-	modifiedPlan, err := tftypes.Transform(resp.PlannedState.Raw, NullifyWriteOnlyAttributes(ctx, req.ResourceSchema))
+	modifiedPlan, err := tftypes.Transform(resp.PlannedState.Raw, NullifyWriteOnlyAttributes(ctx, resp.PlannedState.Schema))
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error Modifying Planned State",

internal/fwserver/server_readresource.go

@@ -6,6 +6,8 @@ package fwserver
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-go/tftypes"
+
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/internal/fwschemadata"
 	"github.com/hashicorp/terraform-plugin-framework/internal/logging"
@@ -157,11 +159,21 @@ func (s *Server) ReadResource(ctx context.Context, req *ReadResourceRequest, res
 		return
 	}
 
-	if semanticEqualityResp.NewData.TerraformValue.Equal(resp.NewState.Raw) {
-		return
+	if !semanticEqualityResp.NewData.TerraformValue.Equal(resp.NewState.Raw) {
+		logging.FrameworkDebug(ctx, "State updated due to semantic equality")
+
+		resp.NewState.Raw = semanticEqualityResp.NewData.TerraformValue
 	}
 
-	logging.FrameworkDebug(ctx, "State updated due to semantic equality")
+	// Set any write-only attributes in the state to null
+	modifiedState, err := tftypes.Transform(resp.NewState.Raw, NullifyWriteOnlyAttributes(ctx, resp.NewState.Schema))
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error Modifying State",
+			"There was an unexpected error modifying the NewState. This is always a problem with the provider. Please report the following to the provider developer:\n\n"+err.Error(),
+		)
+		return
+	}
 
-	resp.NewState.Raw = semanticEqualityResp.NewData.TerraformValue
+	resp.NewState.Raw = modifiedState
 }

internal/fwserver/server_readresource_test.go

@@ -34,11 +34,23 @@ func TestServerReadResource(t *testing.T) {
 		},
 	}
 
+	testTypeWriteOnly := tftypes.Object{
+		AttributeTypes: map[string]tftypes.Type{
+			"test_write_only": tftypes.String,
+			"test_required":   tftypes.String,
+		},
+	}
+
 	testCurrentStateValue := tftypes.NewValue(testType, map[string]tftypes.Value{
 		"test_computed": tftypes.NewValue(tftypes.String, nil),
 		"test_required": tftypes.NewValue(tftypes.String, "test-currentstate-value"),
 	})
 
+	testCurrentStateValueWriteOnly := tftypes.NewValue(testTypeWriteOnly, map[string]tftypes.Value{
+		"test_write_only": tftypes.NewValue(tftypes.String, nil),
+		"test_required":   tftypes.NewValue(tftypes.String, "test-currentstate-value"),
+	})
+
 	testNewStateValue := tftypes.NewValue(testType, map[string]tftypes.Value{
 		"test_computed": tftypes.NewValue(tftypes.String, "test-newstate-value"),
 		"test_required": tftypes.NewValue(tftypes.String, "test-currentstate-value"),
@@ -55,6 +67,18 @@ func TestServerReadResource(t *testing.T) {
 		},
 	}
 
+	testSchemaWriteOnly := schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"test_write_only": schema.StringAttribute{
+				Optional:  true,
+				WriteOnly: true,
+			},
+			"test_required": schema.StringAttribute{
+				Required: true,
+			},
+		},
+	}
+
 	testSchemaWithSemanticEquals := schema.Schema{
 		Attributes: map[string]schema.Attribute{
 			"test_computed": schema.StringAttribute{
@@ -97,6 +121,11 @@ func TestServerReadResource(t *testing.T) {
 		Schema: testSchema,
 	}
 
+	testCurrentStateWriteOnly := &tfsdk.State{
+		Raw:    testCurrentStateValueWriteOnly,
+		Schema: testSchemaWriteOnly,
+	}
+
 	testNewState := &tfsdk.State{
 		Raw:    testNewStateValue,
 		Schema: testSchema,
@@ -562,6 +591,38 @@ func TestServerReadResource(t *testing.T) {
 				Private: testEmptyPrivate,
 			},
 		},
+		"response-state-write-only-nullification": {
+			server: &fwserver.Server{
+				Provider: &testprovider.Provider{},
+			},
+			request: &fwserver.ReadResourceRequest{
+				CurrentState: testCurrentStateWriteOnly,
+				Resource: &testprovider.Resource{
+					ReadMethod: func(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+						var data struct {
+							TestWriteOnly types.String `tfsdk:"test_write_only"`
+							TestRequired  types.String `tfsdk:"test_required"`
+						}
+
+						resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+
+						data.TestWriteOnly = types.StringValue("test-write-only-value")
+
+						resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+					},
+				},
+			},
+			expectedResponse: &fwserver.ReadResourceResponse{
+				NewState: &tfsdk.State{
+					Raw: tftypes.NewValue(testTypeWriteOnly, map[string]tftypes.Value{
+						"test_write_only": tftypes.NewValue(tftypes.String, nil),
+						"test_required":   tftypes.NewValue(tftypes.String, "test-currentstate-value"),
+					}),
+					Schema: testSchemaWriteOnly,
+				},
+				Private: testEmptyPrivate,
+			},
+		},
 		"response-private": {
 			server: &fwserver.Server{
 				Provider: &testprovider.Provider{},

internal/fwserver/server_updateresource.go

@@ -176,7 +176,7 @@ func (s *Server) UpdateResource(ctx context.Context, req *UpdateResourceRequest,
 	}
 
 	// Set any write-only attributes in the state to null
-	modifiedState, err := tftypes.Transform(resp.NewState.Raw, NullifyWriteOnlyAttributes(ctx, req.ResourceSchema))
+	modifiedState, err := tftypes.Transform(resp.NewState.Raw, NullifyWriteOnlyAttributes(ctx, resp.NewState.Schema))
 	if err != nil {
 		resp.Diagnostics.AddError(
 			"Error Modifying State",