ppl: handle unknown state

Author: wasaga

example/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     pomerium = {
       source  = "pomerium/pomerium"
-      version = "0.0.2"
+      version = "0.0.5"
     }
   }
 }
@@ -50,22 +50,30 @@ resource "pomerium_settings" "settings" {
 
   log_level       = "info"
   proxy_log_level = "info"
-  # tracing_provider                  = "jaeger"
-  # tracing_sample_rate               = 1
-  # tracing_jaeger_collector_endpoint = "http://localhost:14268/api/traces"
-  # tracing_jaeger_agent_endpoint     = "localhost:6831"
 
   timeout_idle = "5m"
 }
 
+resource "pomerium_service_account" "test_sa" {
+  namespace_id = pomerium_namespace.test_namespace.id
+  name         = "test-service-account"
+}
+
 resource "pomerium_policy" "test_policy" {
+  depends_on   = [pomerium_service_account.test_sa]
   name         = "test-policy"
   namespace_id = pomerium_namespace.test_namespace.id
-  ppl          = <<EOF
-- allow:
-    and:
-        - authenticated_user: true
-EOF
+  ppl = yamlencode({
+    allow = {
+      and = [
+        {
+          user = {
+            is = pomerium_service_account.test_sa.id
+          }
+        }
+      ]
+    }
+  })
 }
 
 resource "pomerium_route" "test_route" {

internal/provider/policy_types.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/hashicorp/terraform-plugin-go/tftypes"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
 
 	"github.com/pomerium/pomerium/pkg/policy/parser"
 )
@@ -42,7 +43,14 @@ func (p PolicyLanguageType) Equal(o attr.Type) bool {
 
 func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, error) {
 	if src.IsNull() {
-		return PolicyLanguage{}, nil
+		return PolicyLanguage{
+			StringValue: basetypes.NewStringNull(),
+		}, nil
+	}
+	if src.IsUnknown() {
+		return PolicyLanguage{
+			StringValue: basetypes.NewStringUnknown(),
+		}, nil
 	}
 
 	ppl, err := parser.New().ParseYAML(strings.NewReader(src.ValueString()))
@@ -61,13 +69,14 @@ func (PolicyLanguageType) Parse(src basetypes.StringValue) (PolicyLanguage, erro
 }
 
 func (PolicyLanguageType) ValueFromString(
-	_ context.Context,
+	ctx context.Context,
 	in basetypes.StringValue,
 ) (basetypes.StringValuable, diag.Diagnostics) {
+	tflog.Info(ctx, "PPL.ValueFromString", map[string]any{"in": in})
 	var diag diag.Diagnostics
 	v, err := PolicyLanguageType{}.Parse(in)
 	if err != nil {
-		diag.AddError("failed to parse PPL", err.Error()+">>"+in.ValueString()+"<<")
+		diag.AddError("failed to parse PPL", err.Error())
 		return nil, diag
 	}
 	return v, nil
@@ -77,6 +86,7 @@ func (p PolicyLanguageType) ValueFromTerraform(
 	ctx context.Context,
 	in tftypes.Value,
 ) (attr.Value, error) {
+	tflog.Info(ctx, "PPL.ValueFromTerraform", map[string]any{"in": in})
 	attrValue, err := p.StringType.ValueFromTerraform(ctx, in)
 	if err != nil {
 		return nil, err

internal/provider/policy_types_test.go

@@ -35,7 +35,11 @@ func TestPolicyTypes(t *testing.T) {
 		},
 		"null": {
 			in:       tftypes.NewValue(tftypes.String, nil),
-			expected: provider.PolicyLanguage{},
+			expected: provider.PolicyLanguage{StringValue: basetypes.NewStringNull()},
+		},
+		"unknown": {
+			in:       tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+			expected: provider.PolicyLanguage{StringValue: basetypes.NewStringUnknown()},
 		},
 	}
 	for name, testCase := range testCases {