hashicorp · DanielMSchmidt · Feb 6, 2024 · Feb 5, 2024
@@ -233,6 +233,10 @@ var DescriptionList = map[string]descriptionEntry{
 		Description:      "`index` finds the element index for a given value in a list.",
 		ParamDescription: []string{"", ""},
 	},
+	"issensitive": {
+		Description:      "`issensitive` takes a value and returns a boolean indicating if the value is sensitive.",
+		ParamDescription: []string{""},
+	},
 	"join": {
 		Description: "`join` produces a string by concatenating together all elements of a given list of strings with the given delimiter.",
 		ParamDescription: []string{

@@ -58,10 +58,32 @@ var NonsensitiveFunc = function.New(&function.Spec{
 	},
 })
 
+var IssensitiveFunc = function.New(&function.Spec{
+	Params: []function.Parameter{{
+		Name:             "value",
+		Type:             cty.DynamicPseudoType,
+		AllowUnknown:     true,
+		AllowNull:        true,
+		AllowMarked:      true,
+		AllowDynamicType: true,
+	}},
+	Type: func(args []cty.Value) (cty.Type, error) {
+		return cty.Bool, nil
+	},
+	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+		s := args[0].HasMark(marks.Sensitive)
+		return cty.BoolVal(s), nil
+	},
+})
+
 func Sensitive(v cty.Value) (cty.Value, error) {
 	return SensitiveFunc.Call([]cty.Value{v})
 }
 
 func Nonsensitive(v cty.Value) (cty.Value, error) {
 	return NonsensitiveFunc.Call([]cty.Value{v})
 }
+
+func Issensitive(v cty.Value) (cty.Value, error) {
+	return IssensitiveFunc.Call([]cty.Value{v})
+}
@@ -180,3 +180,75 @@ func TestNonsensitive(t *testing.T) {
 		})
 	}
 }
+
+func TestIssensitive(t *testing.T) {
+	tests := []struct {
+		Input     cty.Value
+		Sensitive bool
+		WantErr   string
+	}{
+		{
+			cty.NumberIntVal(1).Mark(marks.Sensitive),
+			true,
+			``,
+		},
+		{
+			cty.NumberIntVal(1),
+			false,
+			``,
+		},
+		{
+			cty.DynamicVal.Mark(marks.Sensitive),
+			true,
+			``,
+		},
+		{
+			cty.UnknownVal(cty.String).Mark(marks.Sensitive),
+			true,
+			``,
+		},
+		{
+			cty.NullVal(cty.EmptyObject).Mark(marks.Sensitive),
+			true,
+			``,
+		},
+		{
+			cty.NullVal(cty.String),
+			false,
+			``,
+		},
+		{
+			cty.DynamicVal,
+			false,
+			``,
+		},
+		{
+			cty.UnknownVal(cty.String),
+			false,
+			``,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("issensitive(%#v)", test.Input), func(t *testing.T) {
+			got, err := Issensitive(test.Input)
+
+			if test.WantErr != "" {
+				if err == nil {
+					t.Fatal("succeeded; want error")
+				}
+				if got, want := err.Error(), test.WantErr; got != want {
+					t.Fatalf("wrong error\ngot:  %s\nwant: %s", got, want)
+				}
+				return
+			} else if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+
+			if (got.True() && !test.Sensitive) || (got.False() && test.Sensitive) {
+				t.Errorf("wrong result \ngot:  %#v\nwant: %#v", got, test.Sensitive)
+			}
+		})
+	}
+
+}
@@ -103,6 +103,7 @@ func (s *Scope) Functions() map[string]function.Function {
 			"rsadecrypt":       funcs.RsaDecryptFunc,
 			"sensitive":        funcs.SensitiveFunc,
 			"nonsensitive":     funcs.NonsensitiveFunc,
+			"issensitive":      funcs.IssensitiveFunc,
 			"setintersection":  stdlib.SetIntersectionFunc,
 			"setproduct":       stdlib.SetProductFunc,
 			"setsubtract":      stdlib.SetSubtractFunc,
@@ -301,6 +302,7 @@ func baseFunctions(baseDir string) map[string]function.Function {
 		"rsadecrypt":       funcs.RsaDecryptFunc,
 		"sensitive":        funcs.SensitiveFunc,
 		"nonsensitive":     funcs.NonsensitiveFunc,
+		"issensitive":      funcs.IssensitiveFunc,
 		"setintersection":  stdlib.SetIntersectionFunc,
 		"setproduct":       stdlib.SetProductFunc,
 		"setsubtract":      stdlib.SetSubtractFunc,

@@ -515,6 +515,13 @@ func TestFunctions(t *testing.T) {
 			},
 		},
 
+		"issensitive": {
+			{
+				`issensitive(1)`,
+				cty.False,
+			},
+		},
+
 		"join": {
 			{
 				`join(" ", ["Hello", "World"])`,

@@ -690,6 +690,10 @@
         "title": "Type Conversion Functions",
         "routes": [
           { "title": "<code>can</code>", "href": "/language/functions/can" },
+          {
+            "title": "<code>issensitive</code>",
+            "href": "/language/functions/issensitive"
+          },
           {
             "title": "<code>nonsensitive</code>",
             "href": "/language/functions/nonsensitive"

@@ -0,0 +1,27 @@
+---
+page_title: issensitive - Functions - Configuration Language
+description: The issensitive function true if the value passed is marked as sensitive
+---
+
+# `issensitive` Function
+
+-> **Note:** This function is only available in Terraform v1.8 and later.
+
+`issensitive` takes any value and returns true if Terraform
+treats it as sensitive, with the same meaning and behavior as for
+[sensitive input variables](/terraform/language/values/variables#suppressing-values-in-cli-output).
+
+If a value not marked as sensitive is passed the function returns false.
+
+See [`sensitive`](/terraform/language/functions/sensitive), [`nonsensitive`](/terraform/language/functions/nonsensitive), and [sensitive input variables](/terraform/language/values/variables#suppressing-values-in-cli-output) for more information on sensitive values.
+
+## Examples
+
+```
+> issensitive(sensitive("secret"))
+true
+> issensitive("hello")
+false
+> sensitive(var.my-var-with-sensitive-set-to-true)
+true
+```