Fix sensitive TF path injection when list wildcards ([*]) are present

[marinamihaela711]

Description of your changes

This PR fixes a failure in sensitive parameter injection when the Terraform
field path includes list wildcards (e.g. options[*].configuration).

Issue #589

Root cause

Upjet injects sensitive values into a Terraform-shaped object using
fieldpath.Paved.SetValue. When the TF path contains [*], the segment before
the wildcard (e.g. options) is a list ([]any), not an object/map. Writing
to a path like options[*].configuration.<key> therefore fails with errors like:

cannot set string as terraform attribute for fieldpath "options[*].configuration.<key>": options is not an object

At the same time, Upjet already has the concrete list index available after it
expands the corresponding Crossplane JSON path (e.g. ...options[0]...).

Fix

Introduce a helper expandWildcardTFPath(tfPath, expandedJSONPath) that replaces
wildcard list segments (e.g. options[*]) with the concrete index extracted
from the expanded JSON path (e.g. options[0]). This enables writing sensitive
values at the correct Terraform location, for example:
options[0].configuration.<key>.

I have:

• Read and followed Upjet's contribution process.
• Run make reviewable to ensure this PR is ready for review.
• Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

• Reproduced the failure in a local Crossplane + Upjet-based provider setup with
  a resource that injects sensitive values into a list field path containing [*].
• Verified reconciliation proceeds and values are injected at the expected
  concrete index (e.g. options[0]...) without the "options is not an object" error.

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a helper function to expand wildcard segments in Terraform paths to concrete indices using JSON path mappings. Updates the storeSensitiveData function to apply this expansion when handling SecretReference maps, enabling accurate state tracking for wildcarded paths.

Changes

Cohort / File(s)	Summary
Wildcard Path Expansion pkg/resource/sensitive.go	Added expandWildcardTFPath() helper function to resolve wildcard segments (e.g., options[*]) to concrete indices from expanded JSON paths. Modified storeSensitiveData() to compute expanded Terraform paths for SecretReference map cases and set attributes at the resolved path instead of the original wildcarded path.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: fixing sensitive TF path injection when list wildcards are present, and it stays well under the 72-character limit.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing context, root cause analysis, the fix, testing approach, and links to the issue and contribution guidelines.
Configuration Api Breaking Changes	✅ Passed	PR modifies only pkg/resource/sensitive.go, which is outside the pkg/config/** scope where the Configuration API Breaking Changes check applies.
Generated Code Manual Edits	✅ Passed	The PR only modifies pkg/resource/sensitive.go, which is not a generated code file matching the zz_*.go pattern that this check targets.
Template Breaking Changes	✅ Passed	Git diff confirms zero lines changed in pkg/controller/external*.go files. PR modifies only pkg/resource/sensitive.go, a utility module for sensitive data handling that does not affect controller template generation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}