Sensitive variable inside a nested block, treats the entire block as sensitive

Hi community, we have a question regarding something that is happening to us. We have some sensitive variables, declared as sensitive in a variables.tf file, and we use them inside a block in terraform. The variables are not being exposed but the logs are not showing the other non-sensitives variables inside that block either.
Does anyone know if there is an alternative to prevent the sensitive variables inside a block for being exposed but still being able to see the others in the logs?
Thanks in advance! :slight_smile:

Hi @julietacorvi2611,

Without knowing more specifics about your situation it’s hard to offer any concrete suggestions, but I can at least talk a little about how Terraform tracks sensitive values and that might give some ideas on how to use this mechanism in a way that suits your needs.

The Terraform language tracks sensitivity typically by assuming that if any of the inputs to an operation are sensitive then the result must also be sensitive. For example, if we add a sensitive number to a non-sensitive number then the result will be a sensitive number, to avoid disclosing by implication what the original number was.

When working with complex types such as lists or objects, the Terraform language aims to track sensitivity as precisely as possible while also trying to avoid this kind of disclosure by implication.

This situation is particularly tricky for two specific situations: values of set types and the keys in map types. In both cases there is a uniqueness requirement so if two equal values are used together in the same collection they will be coalesced together into a single element. That means that the length of the resulting collection could disclose the input by implication and so Terraform in these cases just treats the entire collection as sensitive, since that is the only safe way to track that situation.

I suspect that what’s happening in your case is that the provider developer has declared in their schema that one of the nested block types should be treated as a set of objects, and so the special treatment of set values is happening when you assign a sensitive value into one of the arguments in that block. Terraform can’t guarantee that the sensitive value won’t sometimes coalesce with another element in the set and so it will conservatively treat the entire set as sensitive, and therefore make all attributes inside all blocks of that type be sensitive.

If that is what is happening here then I think unfortunately the options for disclosing more information are limited. Terraform itself fully controls the marking of provider results as sensitive based on the sensitivity of the inputs, and so there is no direct control over this from a module author perspective other than to treat the original value as non-sensitive.

However, one possible way to still see the non-sensitive attributes that are interesting for plan review is to export them as output values and then you’ll be able to see them in the “changes to outputs” section of the plan description. As long as you only export non-sensitive values in that output value Terraform will allow treating the entire output value as non-sensitive and so be able to show it onscreen. You can use the nonsensitive function carefully in your output value expression to “un-mark” the values that were over-zealously treated as sensitive by Terraform’s built-in analysis.

1 Like