Access private state when testing resources and data sources

[marshallford]

terraform-plugin-testing version

❯ go list -m github.com/hashicorp/terraform-plugin-testing/...
github.com/hashicorp/terraform-plugin-testing v1.7.0

Use cases

Utilize and/or validate private state when testing resources or data sources.

Attempted solutions

N/A

Proposal

N/A

References

N/A

[austinvalle]

For future readers, there is an upstream blocker to exposing private state data in terraform-plugin-testing.

As of v1.7.0, the testing framework uses the terraform show -json command to retrieve plan and state data, which is then marshaled to terraform-json structs for usage in plan/state checks.

The terraform show -json command currently isn't a "passthrough" for all data in the state file and the private field has not been added to the JSON output. Before we can add support in the testing framework, the Terraform CLI will need to be updated to return this private field.

Example State

{
  "version": 4,
  "terraform_version": "1.8.0",
  "serial": 3,
  "lineage": "dd9272a9-ab86-4166-d83b-d08ba2f78f34",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "examplecloud_thing",
      "name": "test",
      "provider": "provider[\"registry.terraform.io/austinvalle/sandbox\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "cities": {
              "computed": "true",
              "season": "spring"
            },
            "id": "123",
            "name": "john"
          },
          "sensitive_attributes": [],
          "private": "eyJoZWxsbyI6ImV5SnJaWGt4SWpvZ2RISjFaWDA9In0="
        }
      ]
    }
  ],
  "check_results": null
}

State show output

 $ terraform show -json terraform.tfstate | jq

{
  "format_version": "1.0",
  "terraform_version": "1.8.0",
  "values": {
    "root_module": {
      "resources": [
        {
          "address": "examplecloud_thing.test",
          "mode": "managed",
          "type": "examplecloud_thing",
          "name": "test",
          "provider_name": "registry.terraform.io/austinvalle/sandbox",
          "schema_version": 0,
          "values": {
            "cities": {
              "computed": "true",
              "season": "spring"
            },
            "id": "123",
            "name": "john"
          },
          "sensitive_values": {
            "cities": {}
          }
        }
      ]
    }
  }
}

[marshallford]

Thank you for the info and apologies if this was already well known!

[austinvalle]

Thank you for the info and apologies if this was already well known!

No worries! We don't have this specific situation of "private field missing" documented anywhere, so thanks for opening the issue! We can use this to gauge general interest in the feature from a provider testing perspective.

An issue can be created in the main Terraform repository to ask for that support in terraform show -json. Once added over there, updating terraform-json and this testing framework will be relatively straightforward 🙂