Send a list of paths that should be redacted to the policy runtime (#38600)

Author: dsa0x

internal/command/apply_policy_test.go

@@ -307,7 +307,7 @@ func TestApply_WithPlanPolicyDiagnosticsJSON(t *testing.T) {
 
 	policyClient.EvaluateFn = func(ctx context.Context, er policy.EvaluationRequest[*proto.PolicyEvaluateResourceRequest_ResourceMetadata]) policy.EvaluationResponse {
 		// This is what is returned during the post-plan policy evaluation
-		if !er.Attrs.GetAttr("id").IsWhollyKnown() {
+		if !er.Attrs.Raw.GetAttr("id").IsWhollyKnown() {
 			return evalRespFn(proto.EvaluateResult_DENY_EVALUATE_RESULT)
 		}
 

internal/command/init_policy_test.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/cli"
+	"github.com/zclconf/go-cty/cty"
 	"google.golang.org/protobuf/testing/protocmp"
 
 	"github.com/hashicorp/terraform/internal/policy"
@@ -510,7 +511,7 @@ func TestInit_WithProviderPolicy(t *testing.T) {
 				Version:   "1.0.0",
 			}
 		}
-		if diff := cmp.Diff(expected, req.Meta, protocmp.Transform()); diff != "" {
+		if diff := cmp.Diff(expected, req.Meta, protocmp.Transform(), cmp.Comparer(cty.Value.RawEquals)); diff != "" {
 			t.Fatalf("wrong provider metadata\ngot:  %s\nwant: %v", diff, expected)
 		}
 

internal/command/meta_policy.go

@@ -138,7 +138,7 @@ func (h *policyModuleInstallHook) ModuleSourceResolved(ctx context.Context, req
 	result := h.client.EvaluateModule(ctx, policy.EvaluationRequest[*proto.PolicyEvaluateModuleRequest_ModuleMetadata]{
 		// Configuration attributes may not be available during init, so we will send an unknown
 		// dynamic value to the policy client.
-		Attrs:  cty.DynamicVal,
+		Attrs:  policy.PolicyValue{Raw: cty.DynamicVal},
 		Target: req.SourceAddr.String(),
 		Meta: &proto.PolicyEvaluateModuleRequest_ModuleMetadata{
 			Address: moduleAddr,
@@ -201,7 +201,7 @@ func (p *providerPolicyHook) ProviderVersionSelected(ctx context.Context, provid
 
 		// Configuration attributes may not be available during init, so we will send an unknown
 		// dynamic value to the policy client.
-		Attrs: cty.DynamicVal,
+		Attrs: policy.PolicyValue{Raw: cty.DynamicVal},
 		Meta: &proto.PolicyEvaluateProviderRequest_ProviderMetadata{
 			Name:      provider.Type,
 			Namespace: provider.Namespace,

internal/policy/client.go

@@ -14,7 +14,6 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
 	"github.com/zclconf/go-cty/cty"
-	"github.com/zclconf/go-cty/cty/msgpack"
 	"google.golang.org/grpc"
 
 	"github.com/hashicorp/terraform/internal/policy/callback"
@@ -163,7 +162,7 @@ func (c *client) EvaluateResource(ctx context.Context, req EvaluationRequest[*pr
 
 	req = normalizeRequest(req)
 
-	attrsBytes, err := msgpack.Marshal(req.Attrs, cty.DynamicPseudoType)
+	attrs, err := resourceAttributesToProto(req.Attrs)
 	if err != nil {
 		return ErrorEvalFromDiags(append(diags, &proto.Diagnostic{
 			Severity: proto.Severity_ERROR,
@@ -172,7 +171,7 @@ func (c *client) EvaluateResource(ctx context.Context, req EvaluationRequest[*pr
 		}))
 	}
 
-	priorAttrsBytes, err := msgpack.Marshal(req.PriorAttrs, cty.DynamicPseudoType)
+	priorAttrs, err := resourceAttributesToProto(req.PriorAttrs)
 	if err != nil {
 		return ErrorEvalFromDiags(append(diags, &proto.Diagnostic{
 			Severity: proto.Severity_ERROR,
@@ -185,9 +184,9 @@ func (c *client) EvaluateResource(ctx context.Context, req EvaluationRequest[*pr
 	request := &proto.PolicyEvaluateResourceRequest{
 		EvaluationId: evalID,
 		Resource:     req.Target,
-		Attrs:        attrsBytes,
+		Attrs:        attrs,
+		PriorAttrs:   priorAttrs,
 		Metadata:     req.Meta,
-		PriorAttrs:   priorAttrsBytes,
 	}
 
 	// Register the callback functions with the callback service, so that they are available
@@ -214,7 +213,7 @@ func (c *client) EvaluateProvider(ctx context.Context, req EvaluationRequest[*pr
 	var diags []*proto.Diagnostic
 	req = normalizeRequest(req)
 
-	attrsBytes, err := msgpack.Marshal(req.Attrs, cty.DynamicPseudoType)
+	attrs, err := resourceAttributesToProto(req.Attrs)
 	if err != nil {
 		return ErrorEvalFromDiags(append(diags, &proto.Diagnostic{
 			Severity: proto.Severity_ERROR,
@@ -225,7 +224,7 @@ func (c *client) EvaluateProvider(ctx context.Context, req EvaluationRequest[*pr
 
 	request := &proto.PolicyEvaluateProviderRequest{
 		ProviderType: req.Target,
-		Attrs:        attrsBytes,
+		Attrs:        attrs,
 		Metadata:     req.Meta,
 	}
 
@@ -247,8 +246,18 @@ func (c *client) EvaluateModule(ctx context.Context, req EvaluationRequest[*prot
 
 	req = normalizeRequest(req)
 
+	attrs, err := resourceAttributesToProto(req.Attrs)
+	if err != nil {
+		return ErrorEvalFromDiags(append(diags, &proto.Diagnostic{
+			Severity: proto.Severity_ERROR,
+			Summary:  "Failed to serialize attributes",
+			Detail:   fmt.Sprintf("Failed to serialize attributes: %v.", err),
+		}))
+	}
+
 	request := &proto.PolicyEvaluateModuleRequest{
 		ModuleSource: req.Target,
+		Attrs:        attrs,
 		Metadata:     req.Meta,
 	}
 
@@ -275,11 +284,11 @@ func (c *client) Stop() {
 func normalizeRequest[T any](req EvaluationRequest[T]) EvaluationRequest[T] {
 	attrs := req.Attrs
 	priorAttrs := req.PriorAttrs
-	if attrs == cty.NilVal {
-		attrs = cty.EmptyObjectVal
+	if attrs.Raw == cty.NilVal {
+		attrs.Raw = cty.EmptyObjectVal
 	}
-	if priorAttrs == cty.NilVal {
-		priorAttrs = cty.EmptyObjectVal
+	if priorAttrs.Raw == cty.NilVal {
+		priorAttrs.Raw = cty.EmptyObjectVal
 	}
 
 	return EvaluationRequest[T]{

internal/policy/client_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/terraform/internal/tfdiags"
 	"github.com/zclconf/go-cty/cty"
 	"google.golang.org/grpc"
+	gproto "google.golang.org/protobuf/proto"
 
 	"github.com/hashicorp/terraform/internal/policy/callback"
 	"github.com/hashicorp/terraform/internal/policy/proto"
@@ -42,8 +43,8 @@ func TestClientEvaluate(t *testing.T) {
 
 	tests := []struct {
 		name       string
-		attrs      cty.Value
-		priorAttrs cty.Value
+		attrs      PolicyValue
+		priorAttrs PolicyValue
 
 		// an optional function to override the default evaluateResourceFn
 		evaluateResourceFn func(*proto.PolicyEvaluateResourceRequest) (*proto.PolicyEvaluateResourceResponse, error)
@@ -53,8 +54,8 @@ func TestClientEvaluate(t *testing.T) {
 	}{
 		{
 			name:       "nil attrs and prior attrs",
-			attrs:      cty.NilVal,
-			priorAttrs: cty.NilVal,
+			attrs:      PolicyValue{Raw: cty.NilVal},
+			priorAttrs: PolicyValue{Raw: cty.NilVal},
 			assertResponse: func(t *testing.T, registry *callback.MockRegistry, req *proto.PolicyEvaluateResourceRequest, resp EvaluationResponse) {
 				t.Helper()
 				if resp.Overall != AllowResult {
@@ -69,9 +70,14 @@ func TestClientEvaluate(t *testing.T) {
 			},
 		},
 		{
-			name:       "non-nil attrs and prior attrs",
-			attrs:      cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("test")}),
-			priorAttrs: cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("prior")}),
+			name: "non-nil attrs and prior attrs",
+			attrs: PolicyValue{
+				Raw:           cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("test")}),
+				RedactedPaths: []cty.Path{cty.GetAttrPath("secret")},
+			},
+			priorAttrs: PolicyValue{
+				Raw: cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("prior")}),
+			},
 			assertResponse: func(t *testing.T, registry *callback.MockRegistry, req *proto.PolicyEvaluateResourceRequest, resp EvaluationResponse) {
 				t.Helper()
 				if resp.Overall != AllowResult {
@@ -80,12 +86,19 @@ func TestClientEvaluate(t *testing.T) {
 				if len(resp.Diagnostics) != 0 {
 					t.Fatalf("unexpected diagnostics: %#v", resp.Diagnostics)
 				}
+
+				want := &proto.AttributePath{Steps: []*proto.AttributePath_Step{{
+					Selector: &proto.AttributePath_Step_AttributeName{AttributeName: "secret"},
+				}}}
+				if len(req.Attrs.RedactedPaths) != 1 || !gproto.Equal(req.Attrs.RedactedPaths[0], want) {
+					t.Fatalf("unexpected redacted paths: %#v", req.Attrs.RedactedPaths)
+				}
 			},
 		},
 		{
 			name:       "transforms diagnostics from response",
-			attrs:      cty.NilVal,
-			priorAttrs: cty.NilVal,
+			attrs:      PolicyValue{Raw: cty.NilVal},
+			priorAttrs: PolicyValue{Raw: cty.NilVal},
 			evaluateResourceFn: func(req *proto.PolicyEvaluateResourceRequest) (*proto.PolicyEvaluateResourceResponse, error) {
 				return &proto.PolicyEvaluateResourceResponse{
 					Result: proto.EvaluateResult_DENY_EVALUATE_RESULT,
@@ -204,13 +217,13 @@ func TestClientEvaluateProvider(t *testing.T) {
 
 	tests := []struct {
 		name               string
-		attrs              cty.Value
+		attrs              PolicyValue
 		evaluateProviderFn func(*proto.PolicyEvaluateProviderRequest) (*proto.PolicyEvaluateProviderResponse, error)
 		assertResponse     func(*testing.T, EvaluationResponse)
 	}{
 		{
 			name:  "nil attrs",
-			attrs: cty.NilVal,
+			attrs: PolicyValue{Raw: cty.NilVal},
 			assertResponse: func(t *testing.T, resp EvaluationResponse) {
 				t.Helper()
 				if resp.Overall != AllowResult {
@@ -223,7 +236,7 @@ func TestClientEvaluateProvider(t *testing.T) {
 		},
 		{
 			name:  "unknown attrs",
-			attrs: cty.UnknownVal(cty.EmptyObject),
+			attrs: PolicyValue{Raw: cty.UnknownVal(cty.EmptyObject)},
 			assertResponse: func(t *testing.T, resp EvaluationResponse) {
 				t.Helper()
 				if resp.Overall != AllowResult {
@@ -236,7 +249,7 @@ func TestClientEvaluateProvider(t *testing.T) {
 		},
 		{
 			name:  "non-nil attrs",
-			attrs: cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("test")}),
+			attrs: PolicyValue{Raw: cty.ObjectVal(map[string]cty.Value{"name": cty.StringVal("test")})},
 			assertResponse: func(t *testing.T, resp EvaluationResponse) {
 				t.Helper()
 				if resp.Overall != AllowResult {
@@ -249,7 +262,7 @@ func TestClientEvaluateProvider(t *testing.T) {
 		},
 		{
 			name:  "transforms diagnostics from response",
-			attrs: cty.NilVal,
+			attrs: PolicyValue{Raw: cty.NilVal},
 			evaluateProviderFn: func(req *proto.PolicyEvaluateProviderRequest) (*proto.PolicyEvaluateProviderResponse, error) {
 				return &proto.PolicyEvaluateProviderResponse{
 					Result: proto.EvaluateResult_DENY_EVALUATE_RESULT,

internal/policy/convert.go

@@ -0,0 +1,72 @@
+// Copyright IBM Corp. 2014, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package policy
+
+import (
+	"fmt"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/msgpack"
+
+	"github.com/hashicorp/terraform/internal/policy/proto"
+)
+
+func resourceAttributesToProto(value PolicyValue) (*proto.ResourceAttributes, error) {
+	raw, err := msgpack.Marshal(value.Raw, cty.DynamicPseudoType)
+	if err != nil {
+		return nil, fmt.Errorf("error serializing raw value: %w", err)
+	}
+
+	redactedPaths, err := pathsToProto(value.RedactedPaths)
+	if err != nil {
+		return nil, fmt.Errorf("error serializing redacted paths: %w", err)
+	}
+
+	return &proto.ResourceAttributes{
+		Raw:           raw,
+		RedactedPaths: redactedPaths,
+	}, nil
+}
+
+func pathToProto(path cty.Path) (*proto.AttributePath, error) {
+	steps := make([]*proto.AttributePath_Step, 0, len(path))
+	for _, step := range path {
+		switch step := step.(type) {
+		case cty.GetAttrStep:
+			steps = append(steps, &proto.AttributePath_Step{
+				Selector: &proto.AttributePath_Step_AttributeName{AttributeName: step.Name},
+			})
+		case cty.IndexStep:
+			key := step.Key
+			switch key.Type() {
+			case cty.String:
+				steps = append(steps, &proto.AttributePath_Step{
+					Selector: &proto.AttributePath_Step_ElementKeyString{ElementKeyString: key.AsString()},
+				})
+			case cty.Number:
+				v, _ := key.AsBigFloat().Int64()
+				steps = append(steps, &proto.AttributePath_Step{
+					Selector: &proto.AttributePath_Step_ElementKeyInt{ElementKeyInt: int64(v)},
+				})
+			default:
+				return nil, fmt.Errorf("unsupported cty path step type %T", step)
+			}
+		default:
+			return nil, fmt.Errorf("unsupported cty path step type %T", step)
+		}
+	}
+	return &proto.AttributePath{Steps: steps}, nil
+}
+
+func pathsToProto(paths []cty.Path) ([]*proto.AttributePath, error) {
+	ret := make([]*proto.AttributePath, 0, len(paths))
+	for _, path := range paths {
+		protoPath, err := pathToProto(path)
+		if err != nil {
+			return nil, err
+		}
+		ret = append(ret, protoPath)
+	}
+	return ret, nil
+}

internal/policy/policy.go

@@ -10,6 +10,7 @@ import (
 	"github.com/zclconf/go-cty/cty"
 
 	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/hashicorp/terraform/internal/policy/callback"
 	"github.com/hashicorp/terraform/internal/policy/proto"
 )
@@ -68,15 +69,24 @@ type (
 		CallbackService uint32
 	}
 
+	PolicyValue struct {
+		// Raw contains the Terraform value being sent to the policy engine.
+		Raw cty.Value
+
+		// RedactedPaths contains attribute paths that should be redacted when
+		// displaying values from Raw.
+		RedactedPaths []cty.Path
+	}
+
 	EvaluationRequest[T any] struct {
 		// Target is the object being evaluated.
 		Target string
 
 		// Attrs contains the attributes of the object being evaluated.
-		Attrs cty.Value
+		Attrs PolicyValue
 
 		// PriorAttrs contains the state of the object prior to the current operation.
-		PriorAttrs cty.Value
+		PriorAttrs PolicyValue
 
 		// Meta is additional metadata required for evaluation.
 		Meta T
@@ -198,3 +208,14 @@ func ErrorEvalFromDiags(diags []*proto.Diagnostic) EvaluationResponse {
 		Diagnostics: DiagsFromProto(diags, nil),
 	}
 }
+
+// CtyToPolicyValue converts a cty.Value to a PolicyValue, unmarking the value and
+// extracting sensitive paths.
+func CtyToPolicyValue(raw cty.Value) PolicyValue {
+	raw, pvms := raw.UnmarkDeepWithPaths()
+	redactedPaths, _ := marks.PathsWithMark(pvms, marks.Sensitive)
+	return PolicyValue{
+		Raw:           raw,
+		RedactedPaths: redactedPaths,
+	}
+}