github.com/eliastor/durgaform@v0.0.0-20220816172711-d0ab2d17673e/internal/plans/objchange/plan_valid.go (about) 1 package objchange 2 3 import ( 4 "fmt" 5 6 "github.com/zclconf/go-cty/cty" 7 8 "github.com/eliastor/durgaform/internal/configs/configschema" 9 ) 10 11 // AssertPlanValid checks checks whether a planned new state returned by a 12 // provider's PlanResourceChange method is suitable to achieve a change 13 // from priorState to config. It returns a slice with nonzero length if 14 // any problems are detected. Because problems here indicate bugs in the 15 // provider that generated the plannedState, they are written with provider 16 // developers as an audience, rather than end-users. 17 // 18 // All of the given values must have the same type and must conform to the 19 // implied type of the given schema, or this function may panic or produce 20 // garbage results. 21 // 22 // During planning, a provider may only make changes to attributes that are 23 // null (unset) in the configuration and are marked as "computed" in the 24 // resource type schema, in order to insert any default values the provider 25 // may know about. If the default value cannot be determined until apply time, 26 // the provider can return an unknown value. Providers are forbidden from 27 // planning a change that disagrees with any non-null argument in the 28 // configuration. 29 // 30 // As a special exception, providers _are_ allowed to provide attribute values 31 // conflicting with configuration if and only if the planned value exactly 32 // matches the corresponding attribute value in the prior state. The provider 33 // can use this to signal that the new value is functionally equivalent to 34 // the old and thus no change is required. 35 func AssertPlanValid(schema *configschema.Block, priorState, config, plannedState cty.Value) []error { 36 return assertPlanValid(schema, priorState, config, plannedState, nil) 37 } 38 39 func assertPlanValid(schema *configschema.Block, priorState, config, plannedState cty.Value, path cty.Path) []error { 40 var errs []error 41 if plannedState.IsNull() && !config.IsNull() { 42 errs = append(errs, path.NewErrorf("planned for absence but config wants existence")) 43 return errs 44 } 45 if config.IsNull() && !plannedState.IsNull() { 46 errs = append(errs, path.NewErrorf("planned for existence but config wants absence")) 47 return errs 48 } 49 if plannedState.IsNull() { 50 // No further checks possible if the planned value is null 51 return errs 52 } 53 54 impTy := schema.ImpliedType() 55 56 // verify attributes 57 moreErrs := assertPlannedAttrsValid(schema.Attributes, priorState, config, plannedState, path) 58 errs = append(errs, moreErrs...) 59 60 for name, blockS := range schema.BlockTypes { 61 path := append(path, cty.GetAttrStep{Name: name}) 62 plannedV := plannedState.GetAttr(name) 63 configV := config.GetAttr(name) 64 priorV := cty.NullVal(impTy.AttributeType(name)) 65 if !priorState.IsNull() { 66 priorV = priorState.GetAttr(name) 67 } 68 if plannedV.RawEquals(configV) { 69 // Easy path: nothing has changed at all 70 continue 71 } 72 73 if !configV.IsKnown() { 74 // An unknown config block represents a dynamic block where the 75 // for_each value is unknown, and therefor cannot be altered by the 76 // provider. 77 errs = append(errs, path.NewErrorf("planned value %#v for unknown dynamic block", plannedV)) 78 continue 79 } 80 81 if !plannedV.IsKnown() { 82 // Only dynamic configuration can set blocks to unknown, so this is 83 // not allowed from the provider. This means that either the config 84 // and plan should match, or we have an error where the plan 85 // changed the config value, both of which have been checked. 86 errs = append(errs, path.NewErrorf("attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead")) 87 continue 88 } 89 90 switch blockS.Nesting { 91 case configschema.NestingSingle, configschema.NestingGroup: 92 moreErrs := assertPlanValid(&blockS.Block, priorV, configV, plannedV, path) 93 errs = append(errs, moreErrs...) 94 case configschema.NestingList: 95 // A NestingList might either be a list or a tuple, depending on 96 // whether there are dynamically-typed attributes inside. However, 97 // both support a similar-enough API that we can treat them the 98 // same for our purposes here. 99 if plannedV.IsNull() { 100 errs = append(errs, path.NewErrorf("attribute representing a list of nested blocks must be empty to indicate no blocks, not null")) 101 continue 102 } 103 104 plannedL := plannedV.LengthInt() 105 configL := configV.LengthInt() 106 if plannedL != configL { 107 errs = append(errs, path.NewErrorf("block count in plan (%d) disagrees with count in config (%d)", plannedL, configL)) 108 continue 109 } 110 111 for it := plannedV.ElementIterator(); it.Next(); { 112 idx, plannedEV := it.Element() 113 path := append(path, cty.IndexStep{Key: idx}) 114 if !plannedEV.IsKnown() { 115 errs = append(errs, path.NewErrorf("element representing nested block must not be unknown itself; set nested attribute values to unknown instead")) 116 continue 117 } 118 if !configV.HasIndex(idx).True() { 119 continue // should never happen since we checked the lengths above 120 } 121 configEV := configV.Index(idx) 122 priorEV := cty.NullVal(blockS.ImpliedType()) 123 if !priorV.IsNull() && priorV.HasIndex(idx).True() { 124 priorEV = priorV.Index(idx) 125 } 126 127 moreErrs := assertPlanValid(&blockS.Block, priorEV, configEV, plannedEV, path) 128 errs = append(errs, moreErrs...) 129 } 130 case configschema.NestingMap: 131 if plannedV.IsNull() { 132 errs = append(errs, path.NewErrorf("attribute representing a map of nested blocks must be empty to indicate no blocks, not null")) 133 continue 134 } 135 136 // A NestingMap might either be a map or an object, depending on 137 // whether there are dynamically-typed attributes inside, but 138 // that's decided statically and so all values will have the same 139 // kind. 140 if plannedV.Type().IsObjectType() { 141 plannedAtys := plannedV.Type().AttributeTypes() 142 configAtys := configV.Type().AttributeTypes() 143 for k := range plannedAtys { 144 if _, ok := configAtys[k]; !ok { 145 errs = append(errs, path.NewErrorf("block key %q from plan is not present in config", k)) 146 continue 147 } 148 path := append(path, cty.GetAttrStep{Name: k}) 149 150 plannedEV := plannedV.GetAttr(k) 151 if !plannedEV.IsKnown() { 152 errs = append(errs, path.NewErrorf("element representing nested block must not be unknown itself; set nested attribute values to unknown instead")) 153 continue 154 } 155 configEV := configV.GetAttr(k) 156 priorEV := cty.NullVal(blockS.ImpliedType()) 157 if !priorV.IsNull() && priorV.Type().HasAttribute(k) { 158 priorEV = priorV.GetAttr(k) 159 } 160 moreErrs := assertPlanValid(&blockS.Block, priorEV, configEV, plannedEV, path) 161 errs = append(errs, moreErrs...) 162 } 163 for k := range configAtys { 164 if _, ok := plannedAtys[k]; !ok { 165 errs = append(errs, path.NewErrorf("block key %q from config is not present in plan", k)) 166 continue 167 } 168 } 169 } else { 170 plannedL := plannedV.LengthInt() 171 configL := configV.LengthInt() 172 if plannedL != configL { 173 errs = append(errs, path.NewErrorf("block count in plan (%d) disagrees with count in config (%d)", plannedL, configL)) 174 continue 175 } 176 for it := plannedV.ElementIterator(); it.Next(); { 177 idx, plannedEV := it.Element() 178 path := append(path, cty.IndexStep{Key: idx}) 179 if !plannedEV.IsKnown() { 180 errs = append(errs, path.NewErrorf("element representing nested block must not be unknown itself; set nested attribute values to unknown instead")) 181 continue 182 } 183 k := idx.AsString() 184 if !configV.HasIndex(idx).True() { 185 errs = append(errs, path.NewErrorf("block key %q from plan is not present in config", k)) 186 continue 187 } 188 configEV := configV.Index(idx) 189 priorEV := cty.NullVal(blockS.ImpliedType()) 190 if !priorV.IsNull() && priorV.HasIndex(idx).True() { 191 priorEV = priorV.Index(idx) 192 } 193 moreErrs := assertPlanValid(&blockS.Block, priorEV, configEV, plannedEV, path) 194 errs = append(errs, moreErrs...) 195 } 196 for it := configV.ElementIterator(); it.Next(); { 197 idx, _ := it.Element() 198 if !plannedV.HasIndex(idx).True() { 199 errs = append(errs, path.NewErrorf("block key %q from config is not present in plan", idx.AsString())) 200 continue 201 } 202 } 203 } 204 case configschema.NestingSet: 205 if plannedV.IsNull() { 206 errs = append(errs, path.NewErrorf("attribute representing a set of nested blocks must be empty to indicate no blocks, not null")) 207 continue 208 } 209 210 // Because set elements have no identifier with which to correlate 211 // them, we can't robustly validate the plan for a nested block 212 // backed by a set, and so unfortunately we need to just trust the 213 // provider to do the right thing. :( 214 // 215 // (In principle we could correlate elements by matching the 216 // subset of attributes explicitly set in config, except for the 217 // special diff suppression rule which allows for there to be a 218 // planned value that is constructed by mixing part of a prior 219 // value with part of a config value, creating an entirely new 220 // element that is not present in either prior nor config.) 221 for it := plannedV.ElementIterator(); it.Next(); { 222 idx, plannedEV := it.Element() 223 path := append(path, cty.IndexStep{Key: idx}) 224 if !plannedEV.IsKnown() { 225 errs = append(errs, path.NewErrorf("element representing nested block must not be unknown itself; set nested attribute values to unknown instead")) 226 continue 227 } 228 } 229 230 default: 231 panic(fmt.Sprintf("unsupported nesting mode %s", blockS.Nesting)) 232 } 233 } 234 235 return errs 236 } 237 238 func assertPlannedAttrsValid(schema map[string]*configschema.Attribute, priorState, config, plannedState cty.Value, path cty.Path) []error { 239 var errs []error 240 for name, attrS := range schema { 241 moreErrs := assertPlannedAttrValid(name, attrS, priorState, config, plannedState, path) 242 errs = append(errs, moreErrs...) 243 } 244 return errs 245 } 246 247 func assertPlannedAttrValid(name string, attrS *configschema.Attribute, priorState, config, plannedState cty.Value, path cty.Path) []error { 248 plannedV := plannedState.GetAttr(name) 249 configV := config.GetAttr(name) 250 priorV := cty.NullVal(attrS.Type) 251 if !priorState.IsNull() { 252 priorV = priorState.GetAttr(name) 253 } 254 path = append(path, cty.GetAttrStep{Name: name}) 255 256 return assertPlannedValueValid(attrS, priorV, configV, plannedV, path) 257 } 258 259 func assertPlannedValueValid(attrS *configschema.Attribute, priorV, configV, plannedV cty.Value, path cty.Path) []error { 260 261 var errs []error 262 if plannedV.RawEquals(configV) { 263 // This is the easy path: provider didn't change anything at all. 264 return errs 265 } 266 if plannedV.RawEquals(priorV) && !priorV.IsNull() && !configV.IsNull() { 267 // Also pretty easy: there is a prior value and the provider has 268 // returned it unchanged. This indicates that configV and plannedV 269 // are functionally equivalent and so the provider wishes to disregard 270 // the configuration value in favor of the prior. 271 return errs 272 } 273 274 switch { 275 // The provider can plan any value for a computed-only attribute. There may 276 // be a config value here in the case where a user used `ignore_changes` on 277 // a computed attribute and ignored the warning, or we failed to validate 278 // computed attributes in the config, but regardless it's not a plan error 279 // caused by the provider. 280 case attrS.Computed && !attrS.Optional: 281 return errs 282 283 // The provider is allowed to insert optional values when the config is 284 // null, but only if the attribute is computed. 285 case configV.IsNull() && attrS.Computed: 286 return errs 287 288 case configV.IsNull() && !plannedV.IsNull(): 289 // if the attribute is not computed, then any planned value is incorrect 290 if attrS.Sensitive { 291 errs = append(errs, path.NewErrorf("sensitive planned value for a non-computed attribute")) 292 } else { 293 errs = append(errs, path.NewErrorf("planned value %#v for a non-computed attribute", plannedV)) 294 } 295 return errs 296 } 297 298 // If this attribute has a NestedType, validate the nested object 299 if attrS.NestedType != nil { 300 return assertPlannedObjectValid(attrS.NestedType, priorV, configV, plannedV, path) 301 } 302 303 // If none of the above conditions match, the provider has made an invalid 304 // change to this attribute. 305 if priorV.IsNull() { 306 if attrS.Sensitive { 307 errs = append(errs, path.NewErrorf("sensitive planned value does not match config value")) 308 } else { 309 errs = append(errs, path.NewErrorf("planned value %#v does not match config value %#v", plannedV, configV)) 310 } 311 return errs 312 } 313 314 if attrS.Sensitive { 315 errs = append(errs, path.NewErrorf("sensitive planned value does not match config value nor prior value")) 316 } else { 317 errs = append(errs, path.NewErrorf("planned value %#v does not match config value %#v nor prior value %#v", plannedV, configV, priorV)) 318 } 319 320 return errs 321 } 322 323 func assertPlannedObjectValid(schema *configschema.Object, prior, config, planned cty.Value, path cty.Path) []error { 324 var errs []error 325 326 if planned.IsNull() && !config.IsNull() { 327 errs = append(errs, path.NewErrorf("planned for absence but config wants existence")) 328 return errs 329 } 330 if config.IsNull() && !planned.IsNull() { 331 errs = append(errs, path.NewErrorf("planned for existence but config wants absence")) 332 return errs 333 } 334 if planned.IsNull() { 335 // No further checks possible if the planned value is null 336 return errs 337 } 338 339 switch schema.Nesting { 340 case configschema.NestingSingle, configschema.NestingGroup: 341 moreErrs := assertPlannedAttrsValid(schema.Attributes, prior, config, planned, path) 342 errs = append(errs, moreErrs...) 343 344 case configschema.NestingList: 345 // A NestingList might either be a list or a tuple, depending on 346 // whether there are dynamically-typed attributes inside. However, 347 // both support a similar-enough API that we can treat them the 348 // same for our purposes here. 349 350 plannedL := planned.LengthInt() 351 configL := config.LengthInt() 352 if plannedL != configL { 353 errs = append(errs, path.NewErrorf("count in plan (%d) disagrees with count in config (%d)", plannedL, configL)) 354 return errs 355 } 356 for it := planned.ElementIterator(); it.Next(); { 357 idx, plannedEV := it.Element() 358 path := append(path, cty.IndexStep{Key: idx}) 359 if !config.HasIndex(idx).True() { 360 continue // should never happen since we checked the lengths above 361 } 362 configEV := config.Index(idx) 363 priorEV := cty.NullVal(schema.ImpliedType()) 364 if !prior.IsNull() && prior.HasIndex(idx).True() { 365 priorEV = prior.Index(idx) 366 } 367 368 moreErrs := assertPlannedAttrsValid(schema.Attributes, priorEV, configEV, plannedEV, path) 369 errs = append(errs, moreErrs...) 370 } 371 372 case configschema.NestingMap: 373 // A NestingMap might either be a map or an object, depending on 374 // whether there are dynamically-typed attributes inside, so we will 375 // break these down to maps to handle them both in the same manner. 376 plannedVals := map[string]cty.Value{} 377 configVals := map[string]cty.Value{} 378 priorVals := map[string]cty.Value{} 379 380 if !planned.IsNull() { 381 plannedVals = planned.AsValueMap() 382 } 383 if !config.IsNull() { 384 configVals = config.AsValueMap() 385 } 386 if !prior.IsNull() { 387 priorVals = prior.AsValueMap() 388 } 389 390 for k, plannedEV := range plannedVals { 391 configEV, ok := configVals[k] 392 if !ok { 393 errs = append(errs, path.NewErrorf("map key %q from plan is not present in config", k)) 394 continue 395 } 396 path := append(path, cty.GetAttrStep{Name: k}) 397 398 priorEV, ok := priorVals[k] 399 if !ok { 400 priorEV = cty.NullVal(schema.ImpliedType()) 401 } 402 moreErrs := assertPlannedAttrsValid(schema.Attributes, priorEV, configEV, plannedEV, path) 403 errs = append(errs, moreErrs...) 404 } 405 for k := range configVals { 406 if _, ok := plannedVals[k]; !ok { 407 errs = append(errs, path.NewErrorf("map key %q from config is not present in plan", k)) 408 continue 409 } 410 } 411 412 case configschema.NestingSet: 413 plannedL := planned.LengthInt() 414 configL := config.LengthInt() 415 if plannedL != configL { 416 errs = append(errs, path.NewErrorf("count in plan (%d) disagrees with count in config (%d)", plannedL, configL)) 417 return errs 418 } 419 // Because set elements have no identifier with which to correlate 420 // them, we can't robustly validate the plan for a nested object 421 // backed by a set, and so unfortunately we need to just trust the 422 // provider to do the right thing. 423 } 424 425 return errs 426 }