Dynamic sensitive?

I have a schema parameter that sometimes needs to be Sensitive and sometimes does not. It depends on the value of another property.

resource “X” “Y” {
encrypted = false
entries = {
A = “B”
C = “D”
}
}

entries does NOT need to be sensitive because encrypted is false. However, if the user sets encrypted to true, then I need the entries to be sensitive. Is this possible? Is there some kind of custom func that I can write so that the schema changes to sensitive based on the value of another property? Is there a SensitiveWhenFunc?

This is not currently possible due to limitations in the Terraform protocol. I’d recommend filing a feature request against Terraform for it. I don’t know how feasible it is without some shenanigans, though; schemas must be known before parsing the config (…sorta), so if the config controls what comes back in the schema, we’re in a bit of a catch-22 here.

Users of Terraform 0.14 can also set the values to sensitive themselves.

As a workaround for almost the same situation, I was thinking/planning to provide two almost identical types of resource, which really mange the same backend type of resource, one with encrypted the other without. e.g. “myprovider_application” and “myprovider_application_encrypted”. The idea being the user could simply add/remove the “_encrypted” moniker to choose. Obviously this will not work for situations with more than one or two such flags.

The other solution I’m considering is (using you’re example), was a special section for the encrypted ones, however I’ve been having issues with DiffSuppressFunc.

entries = { ... }
entries_encrypted = { ... }

Not really happy with either solution. Perhaps you have come up with something better??

That is what I did as my workaround. I made a second property that was sensitive and the user decides which one he wants by deciding which property he uses. I added the ConflictsWith so that he can’t specify both properties at the same time.