Is it possible to mark an attribute of an object as sensitive?

The documentation about foreach and friends includes this bit:

For example, if you would like to call keys(local.map) , where local.map is an object with sensitive values (but non-sensitive keys), you can create a value to pass to for_each with toset([for k,v in local.map : k]) .

I know how to mark a value in e.g. a locals definition so that it is sensitive, e.g.

  buckets = {
    "blort" : {
      bucket_name = "bloop"
      password             = sensitive("private")
...

I’d like to force that field to be treated as private. I can use sensitive = true to make the entire variable definition private, but I can’t figure out how to mark an individual attribute.

Is it possible? If so, how?

Thanks!

Hi @hartzell,

Unfortunately sensitivity is a property of values, not of types. The sensitive = true on variables is effectively a shorthand for automatically passing the value through sensitive on the way in, but if you want to something more detailed than this then you’ll need to write it out explicitly as an expression, perhaps in a local value.

locals {
  buckets = {
    bucket_name = var.buckets.bucket_name
    password    = sensitive(var.buckets.bucket_name)
  }
}

…and then use local.buckets instead of var.buckets everywhere else. Of course, this is not ideal because it would be pretty easy to forget to use local.buckets instead of var.buckets somewhere and accidentally get the non-sensitive one, and so in this case I might be inclined to invert this and make it start off wholly sensitive:

variable "buckets" {
  type      = object({ ... })
  sensitive = true
}

locals {
  buckets = {
    for k, v in nonsensitive(var.buckets) :
    k => (k == "password" ? sensitive(v) : v)
  }
}

This way there will be no copy of the password value accessible inside this module that isn’t marked as sensitive, and if you accidentally use var.sensitive to refer to one of the other attributes then it’ll “fail closed” and make it more sensitive than it needed to be, rather than less sensitive.

1 Like

Thanks! That makes sense. I am, in fact, setting buckets in my original example in a local block, just didn’t include the extra lines, oops/sigh.

I understand what you’ve done in your fail-closed example. Is that something that people/projects do in the real world, or do they just live with the fail-open scenario?

Ah, and now as I re-read your response, I see that you have an extra layer in there, building the local up from the var. That’s a layer more than I have in my work in progress.

Thanks!

This feature of tracking sensitivity of values dynamically through configuration is still relatively new, so I think it’s fair to say that I’ve not yet seen sufficient examples to comment on what people do “in the real world” :smiley: … part of what I get out of participating in these discussions is learning about what folks are trying and what patterns are working and not working and so I’d be curious to hear about what you decide to do in the end, and why!

Hi @apparentlymart,

My apologies for not following up. I ended up getting pulled off the Infra As Codification of out things project and never put these bits into production.

It’s back on the table these days, and as I asked another question (defining hiearchical resource structures from local map variables) I noticed that I hadn’t had the grace to follow up here.

This will probably come to the surface again and I’ll keep it in mind.

Thanks!