How does Terraform detect sensitive data?


I am using this version of Terraform and AWS provider.

Terraform v0.15.0 on windows_amd64
hashicorp/aws v3.37.0

I have the code as below.

variable "secret-key-values" {
  description = "List of Secert Key/Value"
  type = map

resource "aws_secretsmanager_secret" "secret-key" {
      for_each = var.secret-key-values 

      name = each.key 

As I mentioned in this post Changing For-each to toset([for doesn't work as expected after upgrading TF v0.15, I am getting this errror and I can’t find the solution.

β”‚ var.secret-key-values has a sensitive value
β”‚ Sensitive values, or values derived from sensitive values, cannot be used
β”‚ as for_each arguments. If used, the sensitive value could be exposed as a
β”‚ resource instance key.

So I did a workaround to mark it as a nonsensitive data.

resource "aws_secretsmanager_secret" "secret-key" {
  #for_each = toset([for k,v in var.secret-key-values : k])  
  for_each = nonsensitive(var.secret-key-values) 

  name = each.key

It works sometimes. but I got another error as below sometimes.

β”‚ Error: Invalid function argument
β”‚   on ..\modules\secerts-management\ line 3, in resource "aws_secretsmanager_secret" "secret-key":
β”‚    3:   for_each = nonsensitive(var.secret-key-values) 
β”‚     β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚     β”‚ var.secret-key-values is (sensitive value)
β”‚ Invalid value for "value" parameter: the given value is not sensitive, so
β”‚ this call is redundant.

So, Terraform auto-detect some sensitive data sometimes and sometimes, it throws an exception and says it’s not sensitive.

It’s driving me crazy now. Am I missing something? How does Terraform detect sensitive data?

Hi @michaelsync,

In this case it seems like Terraform’s inferring the sensitivity based on how you built that value in the calling module, and so I suspect Terraform is inferring the sensitivity differently in different situations, causing this result.

From the name var.secret-key-values it seems like these values being sensitive is part of the contract of this module, so I’d suggest enforcing that explicitly by marking the variable as sensitive:

variable "secret-key-values" {
  type      = map(string)
  sensitive = true

This will cause Terraform to treat it as sensitive always, regardless of how the caller populated it. You should then be able to use the nonsensitive function as you tried and have it always work, because the value will always be sensitive. Of course, you should be careful to document that your module only treats the values of that map as sensitive, and not also the keys, because (as first error message suggests) instance keys are always shown in cleartext so that you can tell which object a planned action will apply to.

1 Like

Thanks. I used this as a workaround to solve it.