pulumi · nyobe · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
diff --git a/analysis/common_test.go b/analysis/common_test.go
@@ -71,6 +71,12 @@ func (testProviders) LoadProvider(ctx context.Context, name string) (esc.Provide
 	return nil, fmt.Errorf("unknown provider %q", name)
 }
 
+type testRotators struct{}
+
+func (testRotators) LoadRotator(ctx context.Context, name string) (esc.Rotator, error) {
+	return nil, fmt.Errorf("unknown provider %q", name)
+}
+
 type testEnvironments struct{}
 
 func (testEnvironments) LoadEnvironment(ctx context.Context, name string) ([]byte, eval.Decrypter, error) {

diff --git a/analysis/describe_test.go b/analysis/describe_test.go
@@ -34,7 +34,7 @@ func TestDescribe(t *testing.T) {
 	execContext, err := esc.NewExecContext(make(map[string]esc.Value))
 	require.NoError(t, err)
 
-	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testEnvironments{}, execContext, false)
+	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testRotators{}, testEnvironments{}, execContext, false)
 	require.Empty(t, diags)
 
 	analysis := New(*env, map[string]*schema.Schema{"test": testProviderSchema})
@@ -108,7 +108,7 @@ func TestDescribeOpen(t *testing.T) {
 	execContext, err := esc.NewExecContext(make(map[string]esc.Value))
 	require.NoError(t, err)
 
-	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testEnvironments{}, execContext, false)
+	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testRotators{}, testEnvironments{}, execContext, false)
 	require.Empty(t, diags)
 
 	analysis := New(*env, map[string]*schema.Schema{"test": testProviderSchema})

diff --git a/analysis/traversal_test.go b/analysis/traversal_test.go
@@ -33,7 +33,7 @@ func TestExpressionAt(t *testing.T) {
 	execContext, err := esc.NewExecContext(make(map[string]esc.Value))
 	require.NoError(t, err)
 
-	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testEnvironments{}, execContext, false)
+	env, diags := eval.CheckEnvironment(context.Background(), "def", syntax, nil, testProviders{}, testRotators{}, testEnvironments{}, execContext, false)
 	require.Empty(t, diags)
 
 	analysis := New(*env, map[string]*schema.Schema{"test": testProviderSchema})

diff --git a/ast/expr.go b/ast/expr.go
@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"slices"
 	"strings"
 
 	"github.com/hashicorp/hcl/v2"
@@ -434,6 +435,41 @@ func Open(provider string, inputs *ObjectExpr) *OpenExpr {
 	}
 }
 
+// RotateExpr is a type of OpenExpr that supports a rotate operation.
+type RotateExpr struct {
+	builtinNode
+
+	Provider *StringExpr
+	Inputs   Expr
+	State    *ObjectExpr
+}
+
+func RotateSyntax(node *syntax.ObjectNode, name *StringExpr, args Expr, provider *StringExpr, inputs Expr, state *ObjectExpr) *RotateExpr {
+	return &RotateExpr{
+		builtinNode: builtin(node, name, args),
+		Provider:    provider,
+		Inputs:      inputs,
+		State:       state,
+	}
+}
+
+func Rotate(provider string, inputs, state *ObjectExpr) *RotateExpr {
+	name, providerX := String("fn::rotate"), String(provider)
+
+	entries := []ObjectProperty{
+		{Key: String("provider"), Value: providerX},
+		{Key: String("inputs"), Value: inputs},
+		{Key: String("state"), Value: state},
+	}
+
+	return &RotateExpr{
+		builtinNode: builtin(nil, name, Object(entries...)),
+		Provider:    providerX,
+		Inputs:      inputs,
+		State:       state,
+	}
+}
+
 // ToJSON returns the underlying structure as a json string.
 type ToJSONExpr struct {
 	builtinNode
@@ -607,6 +643,8 @@ func tryParseFunction(node *syntax.ObjectNode) (Expr, syntax.Diagnostics, bool)
 		parse = parseJoin
 	case "fn::open":
 		parse = parseOpen
+	case "fn::rotate":
+		parse = parseRotate
 	case "fn::secret":
 		parse = parseSecret
 	case "fn::toBase64":
@@ -620,6 +658,10 @@ func tryParseFunction(node *syntax.ObjectNode) (Expr, syntax.Diagnostics, bool)
 			parse = parseShortOpen
 			break
 		}
+		if strings.HasPrefix(kvp.Key.Value(), "fn::rotate::") {
+			parse = parseShortRotate
+			break
+		}
 
 		if strings.HasPrefix(strings.ToLower(kvp.Key.Value()), "fn::") {
 			diags = append(diags, syntax.Error(kvp.Key.Syntax().Range(),
@@ -696,6 +738,78 @@ func parseShortOpen(node *syntax.ObjectNode, name *StringExpr, args Expr) (Expr,
 	return OpenSyntax(node, name, args, provider, args), nil
 }
 
+func parseRotate(node *syntax.ObjectNode, name *StringExpr, args Expr) (Expr, syntax.Diagnostics) {
+	obj, ok := args.(*ObjectExpr)
+	if !ok {
+		diags := syntax.Diagnostics{ExprError(args, "the argument to fn::rotate must be an object containing 'provider', 'inputs' and 'state'")}
+		return RotateSyntax(node, name, args, nil, nil, nil), diags
+	}
+
+	var providerExpr, inputs, stateExpr Expr
+	var diags syntax.Diagnostics
+
+	for i := 0; i < len(obj.Entries); i++ {
+		kvp := obj.Entries[i]
+		key := kvp.Key
+		switch key.GetValue() {
+		case "provider":
+			providerExpr = kvp.Value
+		case "inputs":
+			inputs = kvp.Value
+		case "state":
+			stateExpr = kvp.Value
+		}
+	}
+
+	provider, ok := providerExpr.(*StringExpr)
+	if !ok {
+		if providerExpr == nil {
+			diags.Extend(ExprError(obj, "missing provider name ('provider')"))
+		} else {
+			diags.Extend(ExprError(providerExpr, "provider name must be a string literal"))
+		}
+	}
+
+	if inputs == nil {
+		diags.Extend(ExprError(obj, "missing provider inputs ('inputs')"))
+	}
+
+	state, ok := stateExpr.(*ObjectExpr)
+	if !ok && state != nil {
+		diags.Extend(ExprError(stateExpr, "rotation state must be an object literal"))
+	}
+
+	return RotateSyntax(node, name, obj, provider, inputs, state), diags
+}
+
+func parseShortRotate(node *syntax.ObjectNode, name *StringExpr, args Expr) (Expr, syntax.Diagnostics) {
+	kvp := node.Index(0)
+	provider := StringSyntaxValue(name.Syntax().(*syntax.StringNode), strings.TrimPrefix(kvp.Key.Value(), "fn::rotate::"))
+
+	inputs, ok := args.(*ObjectExpr)
+	if !ok {
+		diags := syntax.Diagnostics{ExprError(args, "provider inputs must be an object")}
+		return RotateSyntax(node, name, args, nil, nil, nil), diags
+	}
+
+	// hoist 'state' key out of inputs
+	var stateExpr Expr
+	if i := slices.IndexFunc(inputs.Entries, func(kvp ObjectProperty) bool {
+		return kvp.Key.GetValue() == "state"
+	}); i != -1 {
+		stateExpr = inputs.Entries[i].Value
+		inputs.Entries = slices.Delete(inputs.Entries, i, i+1)
+	}
+
+	state, ok := stateExpr.(*ObjectExpr)
+	if !ok && state != nil {
+		diags := syntax.Diagnostics{ExprError(stateExpr, "rotation state must be an object literal")}
+		return RotateSyntax(node, name, args, nil, nil, nil), diags
+	}
+
+	return RotateSyntax(node, name, args, provider, inputs, state), nil
+}
+
 func parseJoin(node *syntax.ObjectNode, name *StringExpr, args Expr) (Expr, syntax.Diagnostics) {
 	list, ok := args.(*ArrayExpr)
 	if !ok || len(list.Elements) != 2 {

diff --git a/cmd/esc/cli/cli_test.go b/cmd/esc/cli/cli_test.go
@@ -215,6 +215,12 @@ func (testProviders) LoadProvider(ctx context.Context, name string) (esc.Provide
 	return nil, fmt.Errorf("unknown provider %q", name)
 }
 
+type testRotators struct{}
+
+func (testRotators) LoadRotator(ctx context.Context, name string) (esc.Rotator, error) {
+	return nil, fmt.Errorf("unknown rotator %q", name)
+}
+
 type rot128 struct{}
 
 func (rot128) Encrypt(_ context.Context, plaintext []byte) ([]byte, error) {
@@ -395,6 +401,7 @@ func (c *testPulumiClient) checkEnvironment(ctx context.Context, orgName, envNam
 	}
 
 	providers := &testProviders{}
+	rotators := &testRotators{}
 	envLoader := &testEnvironments{orgName: orgName, environments: c.environments}
 
 	execContext, err := esc.NewExecContext(make(map[string]esc.Value))
@@ -407,7 +414,7 @@ func (c *testPulumiClient) checkEnvironment(ctx context.Context, orgName, envNam
 		showSecrets = opts[0].ShowSecrets
 	}
 
-	checked, checkDiags := eval.CheckEnvironment(ctx, envName, environment, rot128{}, providers, envLoader, execContext, showSecrets)
+	checked, checkDiags := eval.CheckEnvironment(ctx, envName, environment, rot128{}, providers, rotators, envLoader, execContext, showSecrets)
 	diags.Extend(checkDiags...)
 	return checked, mapDiags(diags), nil
 }
@@ -427,14 +434,15 @@ func (c *testPulumiClient) openEnvironment(ctx context.Context, orgName, name st
 	}
 
 	providers := &testProviders{}
+	rotators := &testRotators{}
 	envLoader := &testEnvironments{orgName: orgName, environments: c.environments}
 
 	execContext, err := esc.NewExecContext(make(map[string]esc.Value))
 	if err != nil {
 		return "", nil, fmt.Errorf("initializing the ESC exec context: %w", err)
 	}
 
-	openEnv, evalDiags := eval.EvalEnvironment(ctx, name, decl, rot128{}, providers, envLoader, execContext)
+	openEnv, evalDiags := eval.EvalEnvironment(ctx, name, decl, rot128{}, providers, rotators, envLoader, execContext)
 	diags.Extend(evalDiags...)
 
 	if diags.HasErrors() {