I have a schema parameter that sometimes needs to be Sensitive and sometimes does not. It depends on the value of another property.
resource “X” “Y” {
encrypted = false
entries = {
A = “B”
C = “D”
}
}
entries does NOT need to be sensitive because encrypted is false. However, if the user sets encrypted to true, then I need the entries to be sensitive. Is this possible? Is there some kind of custom func that I can write so that the schema changes to sensitive based on the value of another property? Is there a SensitiveWhenFunc?
This is not currently possible due to limitations in the Terraform protocol. I’d recommend filing a feature request against Terraform for it. I don’t know how feasible it is without some shenanigans, though; schemas must be known before parsing the config (…sorta), so if the config controls what comes back in the schema, we’re in a bit of a catch-22 here.
As a workaround for almost the same situation, I was thinking/planning to provide two almost identical types of resource, which really mange the same backend type of resource, one with encrypted the other without. e.g. “myprovider_application” and “myprovider_application_encrypted”. The idea being the user could simply add/remove the “_encrypted” moniker to choose. Obviously this will not work for situations with more than one or two such flags.
The other solution I’m considering is (using you’re example), was a special section for the encrypted ones, however I’ve been having issues with DiffSuppressFunc.
entries = { ... }
entries_encrypted = { ... }
Not really happy with either solution. Perhaps you have come up with something better??
That is what I did as my workaround. I made a second property that was sensitive and the user decides which one he wants by deciding which property he uses. I added the ConflictsWith so that he can’t specify both properties at the same time.