Changing For-each to toset([for doesn't work as expected after upgrading TF v0.15

Terraform
1

Hi,

Terraform v0.15.0 on windows_amd64
hashicorp/aws v3.37.0

In this doc The for_each Meta-Argument - Configuration Language - Terraform by HashiCorp, it mentioned that if we have a var (map) with sensitive values (not the keys), we can create a values to pass to for-each with toset([for).

The code below was working fine when I was using v0.14.

variable "secret-key-values" {
  description = "List of Secert Key/Value"
  type = map
}

  resource "aws_secretsmanager_secret" "secret-key" {
      for_each = var.secret-key-values 

      name = each.key 
    }

    resource "aws_secretsmanager_secret_version" "secret-value" {
      for_each = var.secret-key-values

      secret_id     = aws_secretsmanager_secret.secret-key[each.key].id
      secret_string = each.value
    }

I changed it as below after upgrading the Terraform to v0.15.

resource "aws_secretsmanager_secret" "secret-key" {
  for_each = toset([for k,v in var.secret-key-values : k])  

  name = each.key
}

resource "aws_secretsmanager_secret_version" "secret-value" {
  for_each = toset([for k,v in var.secret-key-values : k])  

  secret_id     = aws_secretsmanager_secret.secret-key[each.key].id
  secret_string = aws_secretsmanager_secret.secret-key[each.key].value
}

I am still getting this error.

β”‚ Error: Invalid for_each argument
β”‚ 
β”‚   on ..\modules\secerts-management\main.tf line 2, in resource "aws_secretsmanager_secret" "secret-key":
β”‚    2:   for_each = toset([for k,v in var.secret-key-values : k])  
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ var.secret-key-values has a sensitive value
β”‚ 
β”‚ Sensitive values, or values derived from sensitive values, cannot be used
β”‚ as for_each arguments. If used, the sensitive value could be exposed as a
β”‚ resource instance key.

Did I miss out something? Or, Is it a bug?

1 Like
2

Upgrade to 0.15.1 fixed this for me.

3

Indeed, Terraform v0.15.1 includes some improvements to Terraform’s automatic inference of sensitive values for some functions, including toset, which allow Terraform to recognize more situations where the result of a function isn’t sensitive even though the input is sensitive.

More of Terraform’s functions now have special rules for sensitivity inference. For example, keys now knows that for maps only either the entire map or individual values can be sensitive, but never any individual keys, and so it’s able to return a non-sensitive result in a situation where the map as a whole is non-sensitive even if one or more of the element values are sensitive.

The general rule remains that if you use sensitive values as part of an expression then Terraform will typically consider the result to be sensitive, but these special exceptions should make it easier to construct values that are valid to use in for_each.