ppl: handle unknown state (#28)

If PPL block was referencing some values that were unknown, it still
tried to parse the PPL. Instead, it should return an unknown state as
well.
Similarly for null values. 

Fixes https://linear.app/pomerium/issue/ENG-1936

Author: wasaga

example/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     pomerium = {
       source  = "pomerium/pomerium"
-      version = "0.0.2"
+      version = "0.0.5"
     }
   }
 }
@@ -50,22 +50,30 @@ resource "pomerium_settings" "settings" {
 
   log_level       = "info"
   proxy_log_level = "info"
-  # tracing_provider                  = "jaeger"
-  # tracing_sample_rate               = 1
-  # tracing_jaeger_collector_endpoint = "http://localhost:14268/api/traces"
-  # tracing_jaeger_agent_endpoint     = "localhost:6831"
 
   timeout_idle = "5m"
 }
 
+resource "pomerium_service_account" "test_sa" {
+  namespace_id = pomerium_namespace.test_namespace.id
+  name         = "test-service-account"
+}
+
 resource "pomerium_policy" "test_policy" {
+  depends_on   = [pomerium_service_account.test_sa]
   name         = "test-policy"
   namespace_id = pomerium_namespace.test_namespace.id
-  ppl          = <<EOF
-- allow:
-    and:
-        - authenticated_user: true
-EOF
+  ppl = yamlencode({
+    allow = {
+      and = [
+        {
+          user = {
+            is = pomerium_service_account.test_sa.id
+          }
+        }
+      ]
+    }
+  })
 }
 
 resource "pomerium_route" "test_route" {

internal/provider/policy_types.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-go/tftypes"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
 
 	"github.com/pomerium/pomerium/pkg/policy/parser"
 )
@@ -42,7 +43,14 @@ func (p PolicyLanguageType) Equal(o attr.Type) bool {
 
 func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, error) {
 	if src.IsNull() {
-		return PolicyLanguage{}, nil
+		return PolicyLanguage{
+			StringValue: basetypes.NewStringNull(),
+		}, nil
+	}
+	if src.IsUnknown() {
+		return PolicyLanguage{
+			StringValue: basetypes.NewStringUnknown(),
+		}, nil
 	}
 
 	ppl, err := parser.New().ParseYAML(strings.NewReader(src.ValueString()))
@@ -61,13 +69,14 @@ func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, erro
 }
 
 func (PolicyLanguageType) ValueFromString(
-	_ context.Context,
+	ctx context.Context,
 	in basetypes.StringValue,
 ) (basetypes.StringValuable, diag.Diagnostics) {
+	tflog.Info(ctx, "PPL.ValueFromString", map[string]any{"in": in})
 	var diag diag.Diagnostics
 	v, err := PolicyLanguageType{}.Parse(in)
 	if err != nil {
-		diag.AddError("failed to parse PPL", err.Error()+">>"+in.ValueString()+"<<")
+		diag.AddError("failed to parse PPL", err.Error())
 		return nil, diag
 	}
 	return v, nil
@@ -77,6 +86,7 @@ func (p PolicyLanguageType) ValueFromTerraform(
 	ctx context.Context,
 	in tftypes.Value,
 ) (attr.Value, error) {
+	tflog.Info(ctx, "PPL.ValueFromTerraform", map[string]any{"in": in})
 	attrValue, err := p.StringType.ValueFromTerraform(ctx, in)
 	if err != nil {
 		return nil, err

internal/provider/policy_types_test.go

@@ -35,7 +35,11 @@ func TestPolicyTypes(t *testing.T) {
 		},
 		"null": {
 			in:       tftypes.NewValue(tftypes.String, nil),
-			expected: provider.PolicyLanguage{},
+			expected: provider.PolicyLanguage{StringValue: basetypes.NewStringNull()},
+		},
+		"unknown": {
+			in:       tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+			expected: provider.PolicyLanguage{StringValue: basetypes.NewStringUnknown()},
 		},
 	}
 	for name, testCase := range testCases {