Add block_types support in terraform resource schema

changelogs/fragments/35-add-block_types-support-in-terraform-resource-schema.yml

@@ -0,0 +1,2 @@
+major_changes:
+  - add support to read and sanitize `block_types` inside terraform provider schema (https://github.com/ansible-collections/cloud.terraform/pull/35). 

plugins/module_utils/models.py

@@ -136,11 +136,28 @@ def from_json(cls, json: TJsonObject) -> "TerraformAttributeSpec":
         )
 
 
+@dataclass
+class TerraformBlockTypeSpec:
+    attributes: Dict[str, TerraformAttributeSpec]
+    nesting_mode: Union[str, List[str]]
+
+    @classmethod
+    def from_json(cls, json: TJsonObject) -> "TerraformBlockTypeSpec":
+        return cls(
+            attributes={
+                attr_name: TerraformAttributeSpec.from_json(attr_value)
+                for attr_name, attr_value in json.get("block", {}).get("attributes", {}).items()
+            },
+            nesting_mode=json["nesting_mode"],
+        )
+
+
 @dataclass
 class TerraformResourceSchema:
     version: int
     # this de-nests the "block" subelement
     attributes: Dict[str, TerraformAttributeSpec]
+    block_types: Dict[str, TerraformBlockTypeSpec]
 
     @classmethod
     def from_json(cls, json: TJsonObject) -> "TerraformResourceSchema":
@@ -150,6 +167,10 @@ def from_json(cls, json: TJsonObject) -> "TerraformResourceSchema":
                 attr_name: TerraformAttributeSpec.from_json(attr_value)
                 for attr_name, attr_value in json.get("block", {}).get("attributes", {}).items()
             },
+            block_types={
+                block_name: TerraformBlockTypeSpec.from_json(block_value)
+                for block_name, block_value in json.get("block", {}).get("block_types", {}).items()
+            },
         )
 
 

plugins/module_utils/terraform_commands.py

@@ -240,6 +240,7 @@ def workspace_list(self) -> TerraformWorkspaceContext:
                 continue
             elif stripped_item.startswith("* "):
                 current_workspace = stripped_item.replace("* ", "")
+                all_workspaces.append(current_workspace)
             else:
                 all_workspaces.append(stripped_item)
         return TerraformWorkspaceContext(current=current_workspace, all=all_workspaces)

plugins/modules/terraform.py

@@ -293,10 +293,7 @@
 from ansible.module_utils.six import integer_types
 from ansible.module_utils.basic import AnsibleModule
 
-from ansible_collections.cloud.terraform.plugins.module_utils.types import (
-    AnyJsonType,
-    TJsonBareValue,
-)
+from ansible_collections.cloud.terraform.plugins.module_utils.types import AnyJsonType, TJsonBareValue
 from ansible_collections.cloud.terraform.plugins.module_utils.models import (
     TerraformWorkspaceContext,
     TerraformShow,
@@ -324,6 +321,21 @@ def is_attribute_sensitive_in_providers_schema(
             if resource_schema_name == resource.type:
                 sensitive = resource_schema.attributes[attribute].sensitive
                 return sensitive
+
+    return False
+
+
+def is_blocktype_sensitive_in_providers_schema(
+    schemas: TerraformProviderSchemaCollection, resource: TerraformRootModuleResource, blocktype: str, subattribute: str
+) -> bool:
+    for provider_schema in schemas.provider_schemas:
+        resource_schemas = schemas.provider_schemas[provider_schema].resource_schemas
+        for resource_schema_name, resource_schema in resource_schemas.items():
+            if resource_schema_name == resource.type:
+                for block_type in resource_schema.block_types:
+                    if blocktype == block_type:
+                        sensitive = resource_schema.block_types[blocktype].attributes[subattribute].sensitive
+                        return sensitive
     return False
 
 
@@ -332,18 +344,37 @@ def is_attribute_in_sensitive_values(resource: TerraformRootModuleResource, attr
 
 
 def filter_resource_attributes(
-    state_contents: TerraformShow, provider_schemas: TerraformProviderSchemaCollection
+    state_contents: TerraformShow, provider_schemas_collection: TerraformProviderSchemaCollection
 ) -> TerraformShow:
     # using .get() in case there is no existing .tfstate before apply
+
+    # Aggregate all block types
+    block_types = set()
+    for provider_schema in provider_schemas_collection.provider_schemas:
+        resource_schemas = provider_schemas_collection.provider_schemas[provider_schema].resource_schemas
+        for resource_schema_name, resource_schema in resource_schemas.items():
+            for block_type in resource_schema.block_types:
+                block_types.add(block_type)
+
     for resource in state_contents.values.root_module.resources:
-        attributes_to_remove = []
-        for attribute in resource.values:
-            if is_attribute_sensitive_in_providers_schema(
-                provider_schemas, resource, attribute
-            ) or is_attribute_in_sensitive_values(resource, attribute):
-                attributes_to_remove.append(attribute)
-        for attribute in attributes_to_remove:
-            resource.values[attribute] = None
+        for attr_name, attr_values in resource.values.items():
+            # Distringuish between attributes and block_types
+            if attr_name in block_types:
+                # If attribute is not sensitive, check for its sensitive subattributes
+                if is_attribute_in_sensitive_values(resource, attr_name):
+                    resource.values[attr_name] = None
+                else:
+                    for attr_values in resource.values[attr_name]:
+                        for subattr_name in attr_values:
+                            if is_blocktype_sensitive_in_providers_schema(
+                                provider_schemas_collection, resource, attr_name, subattr_name
+                            ):
+                                resource.values[attr_name][subattr_name] = None
+            else:
+                if is_attribute_sensitive_in_providers_schema(
+                    provider_schemas_collection, resource, attr_name
+                ) or is_attribute_in_sensitive_values(resource, attr_name):
+                    resource.values[attr_name] = None
     return state_contents
 
 
@@ -360,10 +391,7 @@ def filter_outputs(state_contents: TerraformShow) -> TerraformShow:
     return state_contents
 
 
-def sanitize_state(
-    show_state: TerraformShow,
-    provider_schemas: TerraformProviderSchemaCollection,
-) -> TerraformShow:
+def sanitize_state(show_state: TerraformShow, provider_schemas: TerraformProviderSchemaCollection) -> TerraformShow:
     show_state = filter_resource_attributes(show_state, provider_schemas)
     show_state = filter_outputs(show_state)
     return show_state
@@ -487,11 +515,7 @@ def main() -> None:
     if force_init:
         if overwrite_init or not os.path.isfile(os.path.join(project_path, ".terraform", "terraform.tfstate")):
             terraform.init(
-                backend_config or {},
-                backend_config_files or [],
-                init_reconfigure,
-                provider_upgrade,
-                plugin_paths or [],
+                backend_config or {}, backend_config_files or [], init_reconfigure, provider_upgrade, plugin_paths or []
             )
 
     try:

tests/unit/plugins/modules/test_terraform.py

@@ -163,6 +163,7 @@ def provider_schemas():
                             "description": "Generates a local file with the given content.",
                             "description_kind": "plain",
                         },
+                        block_types={},
                     ),
                     "local_sensitive_file": TerraformResourceSchema(
                         version=0,
@@ -240,9 +241,10 @@ def provider_schemas():
                             "description": "Generates a local file with the given sensitive content.",
                             "description_kind": "plain",
                         },
+                        block_types={},
                     ),
-                },
-            ),
+                }
+            )
         },
     )