From 7b20966f3fe670264eeff3ca9eee2322ffc2f7e9 Mon Sep 17 00:00:00 2001 From: Marina Telegeanu Date: Tue, 20 Jan 2026 11:24:58 +0200 Subject: [PATCH 1/2] replace wildcard with real index tfpath --- pkg/resource/sensitive.go | 43 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/pkg/resource/sensitive.go b/pkg/resource/sensitive.go index a0294442..b16fe0c9 100644 --- a/pkg/resource/sensitive.go +++ b/pkg/resource/sensitive.go @@ -238,9 +238,15 @@ func storeSensitiveData(ctx context.Context, client SecretClient, tfPath, jsonPa if resource.IgnoreNotFound(err) != nil { return errors.Wrapf(err, errFmtCannotGetSecretValue, ref) } + + expandedTFPath, _ := expandWildcardTFPath(tfPath, expandedJSONPath) + for key, value := range data { - if err = pavedTF.SetValue(fmt.Sprintf("%s.%s", tfPath, key), string(value)); err != nil { - return errors.Wrapf(err, "cannot set string as terraform attribute for fieldpath %q", fmt.Sprintf("%s.%s", tfPath, key)) + fp := fmt.Sprintf("%s.%s", expandedTFPath, key) + fmt.Printf("DEBUG upjet local: concreteTFPath=%s expandedJSONPath=%s\n", expandedTFPath, expandedJSONPath) + + if err = pavedTF.SetValue(fp, string(value)); err != nil { + return errors.Wrapf(err, "cannot set string as terraform attribute for fieldpath %q", fp) } } continue @@ -298,6 +304,39 @@ func storeSensitiveData(ctx context.Context, client SecretClient, tfPath, jsonPa return nil } +// expandWildcardTFPath replaces segments like "options[*]" with the concrete index +// found in expandedJSONPath (e.g. "...options[0]...."). +// Example: +// tfPath: "options[*].configuration" +// expandedJSONPath: "spec.forProvider.options[0].configurationSecretRef" +// => "options[0].configuration" +func expandWildcardTFPath(tfPath, expandedJSONPath string) (string, error) { + segs := strings.Split(tfPath, ".") + // match "options[*]" + reWildcard := regexp.MustCompile(`^([A-Za-z0-9_-]+)\[\*\]$`) + // match "options[0]" in expandedJSONPath + // we build this per-field: fmt.Sprintf(`\b%s\[(\d+)\]`, field) + out := make([]string, 0, len(segs)) + + for _, s := range segs { + m := reWildcard.FindStringSubmatch(s) + if len(m) == 0 { + out = append(out, s) + continue + } + field := m[1] + reIndex := regexp.MustCompile(fmt.Sprintf(`\b%v\[(\d+)\]`, regexp.QuoteMeta(field))) + mi := reIndex.FindStringSubmatch(expandedJSONPath) + if len(mi) < 2 { + // if we cannot find an index, keep as-is (fallback) + out = append(out, s) + continue + } + out = append(out, fmt.Sprintf("%s[%s]", field, mi[1])) + } + return strings.Join(out, "."), nil +} + // GetSensitiveObservation will return sensitive information as terraform state // attributes by reading them from connection details. func GetSensitiveObservation(ctx context.Context, client SecretClient, from *v1.SecretReference, into map[string]any) error { From 4c788116bfc4c6f719c55bdff09d334aa78a3242 Mon Sep 17 00:00:00 2001 From: Marina Telegeanu Date: Tue, 20 Jan 2026 12:34:09 +0200 Subject: [PATCH 2/2] remove debug log --- pkg/resource/sensitive.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/resource/sensitive.go b/pkg/resource/sensitive.go index b16fe0c9..25f6dd25 100644 --- a/pkg/resource/sensitive.go +++ b/pkg/resource/sensitive.go @@ -243,8 +243,6 @@ func storeSensitiveData(ctx context.Context, client SecretClient, tfPath, jsonPa for key, value := range data { fp := fmt.Sprintf("%s.%s", expandedTFPath, key) - fmt.Printf("DEBUG upjet local: concreteTFPath=%s expandedJSONPath=%s\n", expandedTFPath, expandedJSONPath) - if err = pavedTF.SetValue(fp, string(value)); err != nil { return errors.Wrapf(err, "cannot set string as terraform attribute for fieldpath %q", fp) }