marks package

marks.Sensitive

internal/lang/funcs/sensitive.go

@@ -1,6 +1,7 @@
 package funcs
 
 import (
+	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 )
@@ -25,7 +26,7 @@ var SensitiveFunc = function.New(&function.Spec{
 	},
 	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
 		val, _ := args[0].Unmark()
-		return val.Mark("sensitive"), nil
+		return val.Mark(marks.Sensitive), nil
 	},
 })
 
@@ -48,12 +49,12 @@ var NonsensitiveFunc = function.New(&function.Spec{
 		return args[0].Type(), nil
 	},
 	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		if args[0].IsKnown() && !args[0].HasMark("sensitive") {
+		if args[0].IsKnown() && !args[0].HasMark(marks.Sensitive) {
 			return cty.DynamicVal, function.NewArgErrorf(0, "the given value is not sensitive, so this call is redundant")
 		}
-		v, marks := args[0].Unmark()
+		v, m := args[0].Unmark()
-		delete(marks, "sensitive") // remove the sensitive marking
+		delete(m, marks.Sensitive) // remove the sensitive marking
-		return v.WithMarks(marks), nil
+		return v.WithMarks(m), nil
 	},
 })
 

internal/lang/marks/marks.go

@@ -0,0 +1,13 @@
+package marks
+
+import (
+	"strings"
+)
+
+type valueMark string
+
+func (m valueMark) GoString() string {
+	return "marks." + strings.Title(string(m))
+}
+
+var Sensitive = valueMark("sensitive")

internal/terraform/evaluate.go

@@ -17,6 +17,7 @@ import (
 	"github.com/hashicorp/terraform/internal/configs/configschema"
 	"github.com/hashicorp/terraform/internal/instances"
 	"github.com/hashicorp/terraform/internal/lang"
+	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/hashicorp/terraform/internal/plans"
 	"github.com/hashicorp/terraform/internal/states"
 	"github.com/hashicorp/terraform/internal/tfdiags"
@@ -261,7 +262,7 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
 	if d.Operation == walkValidate {
 		// Ensure variable sensitivity is captured in the validate walk
 		if config.Sensitive {
-			return cty.UnknownVal(wantType).Mark("sensitive"), diags
+			return marks.Sensitive(cty.UnknownVal(wantType)), diags
 		}
 		return cty.UnknownVal(wantType), diags
 	}
@@ -296,9 +297,9 @@ func (d *evaluationStateData) GetInputVariable(addr addrs.InputVariable, rng tfd
 		val = cty.UnknownVal(wantType)
 	}
 
-	// Mark if sensitive, and avoid double-marking if this has already been marked
+	// Mark if sensitive
-	if config.Sensitive && !val.HasMark("sensitive") {
+	if config.Sensitive {
-		val = val.Mark("sensitive")
+		val = marks.Sensitive(val)
 	}
 
 	return val, diags
@@ -432,8 +433,8 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
 
 			instance[cfg.Name] = outputState
 
-			if cfg.Sensitive && !outputState.HasMark("sensitive") {
+			if cfg.Sensitive {
-				instance[cfg.Name] = outputState.Mark("sensitive")
+				instance[cfg.Name] = marks.Sensitive(outputState)
 			}
 		}
 
@@ -461,8 +462,8 @@ func (d *evaluationStateData) GetModule(addr addrs.ModuleCall, rng tfdiags.Sourc
 
 			instance[cfg.Name] = change.After
 
-			if change.Sensitive && !change.After.HasMark("sensitive") {
+			if change.Sensitive {
-				instance[cfg.Name] = change.After.Mark("sensitive")
+				instance[cfg.Name] = marks.Sensitive(change.After)
 			}
 		}
 	}

internal/terraform/node_output.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/terraform/internal/configs"
 	"github.com/hashicorp/terraform/internal/dag"
 	"github.com/hashicorp/terraform/internal/lang"
+	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/hashicorp/terraform/internal/plans"
 	"github.com/hashicorp/terraform/internal/states"
 	"github.com/hashicorp/terraform/internal/tfdiags"
@@ -281,8 +282,7 @@ func (n *NodeApplyableOutput) Execute(ctx EvalContext, op walkOperation) (diags
 		// statically declared as sensitive in order to dynamically return
 		// a sensitive result, to help avoid accidental exposure in the state
 		// of a sensitive value that the user doesn't want to include there.
-		_, marks := val.UnmarkDeep()
+		hasSensitive := marks.HasSensitive(val)
-		_, hasSensitive := marks["sensitive"]
 		if n.Addr.Module.IsRoot() {
 			if !n.Config.Sensitive && hasSensitive {
 				diags = diags.Append(&hcl.Diagnostic{