Changing For-each to toset([for doesn't work as expected after upgrading TF v0.15

michaelsync · April 19, 2021, 10:03am

Hi,

Terraform v0.15.0 on windows_amd64
hashicorp/aws v3.37.0

In this doc The for_each Meta-Argument - Configuration Language - Terraform by HashiCorp, it mentioned that if we have a var (map) with sensitive values (not the keys), we can create a values to pass to for-each with toset([for).

The code below was working fine when I was using v0.14.

variable "secret-key-values" {
  description = "List of Secert Key/Value"
  type = map
}

  resource "aws_secretsmanager_secret" "secret-key" {
      for_each = var.secret-key-values 

      name = each.key 
    }

    resource "aws_secretsmanager_secret_version" "secret-value" {
      for_each = var.secret-key-values

      secret_id     = aws_secretsmanager_secret.secret-key[each.key].id
      secret_string = each.value
    }

I changed it as below after upgrading the Terraform to v0.15.

resource "aws_secretsmanager_secret" "secret-key" {
  for_each = toset([for k,v in var.secret-key-values : k])  

  name = each.key
}

resource "aws_secretsmanager_secret_version" "secret-value" {
  for_each = toset([for k,v in var.secret-key-values : k])  

  secret_id     = aws_secretsmanager_secret.secret-key[each.key].id
  secret_string = aws_secretsmanager_secret.secret-key[each.key].value
}

I am still getting this error.

│ Error: Invalid for_each argument
│ 
│   on ..\modules\secerts-management\main.tf line 2, in resource "aws_secretsmanager_secret" "secret-key":
│    2:   for_each = toset([for k,v in var.secret-key-values : k])  
│     ├────────────────
│     │ var.secret-key-values has a sensitive value
│ 
│ Sensitive values, or values derived from sensitive values, cannot be used
│ as for_each arguments. If used, the sensitive value could be exposed as a
│ resource instance key.

Did I miss out something? Or, Is it a bug?

fred · April 27, 2021, 11:33am

Upgrade to 0.15.1 fixed this for me.

apparentlymart · April 27, 2021, 4:23pm

Indeed, Terraform v0.15.1 includes some improvements to Terraform’s automatic inference of sensitive values for some functions, including toset, which allow Terraform to recognize more situations where the result of a function isn’t sensitive even though the input is sensitive.

More of Terraform’s functions now have special rules for sensitivity inference. For example, keys now knows that for maps only either the entire map or individual values can be sensitive, but never any individual keys, and so it’s able to return a non-sensitive result in a situation where the map as a whole is non-sensitive even if one or more of the element values are sensitive.

The general rule remains that if you use sensitive values as part of an expression then Terraform will typically consider the result to be sensitive, but these special exceptions should make it easier to construct values that are valid to use in for_each.

Topic		Replies	Views
Sensitive values, or values derived from sensitive values cannot be used as for_each arguments Terraform	4	5350	October 24, 2022
How does Terraform detect sensitive data? Terraform	2	1900	April 21, 2021
Terraform - for_each used with unknown values Terraform hcp-terraform , terraform-enterprise	0	1023	September 16, 2022
Error: Invalid for_each argument Terraform	7	292	October 4, 2024
For_each : tuple with a dynamic value Terraform	9	1559	January 18, 2024

Changing For-each to toset([for doesn't work as expected after upgrading TF v0.15

Related topics