Terraform reporting non-sensitive outputs as sensitive in 1.0.2?


I’ve just started doing updates from 0.14 to 1.0 and I’m running into a perplexing issue and I’m uncertain if this is intended. We use q wrapper module for creating github repositories that sets some preferred defaults, etc. and when planning I’m getting output saying pretty much every attribute is being marked sensitive - which makes very little sense.

Looking at the provider source, nothing in the github_repository schema is marked sensitive. Any ideas if I’m doing something wrong?

Hi @dbolack,

A value in Terraform can be sensitive either if it’s marked as sensitive directly itself or if the expression that built it referred to other sensitive values. Terraform’s ability to track sensitive values through expressions improved between v0.14 and v1.0 and so my best guess, without specific examples to refer to, is that those attributes are defined from something else in the configuration that is marked as sensitive, and so the sensitiveness is “infecting” them transitively.

If Terraform’s sensitivity inference is being too conservative in your situation then you can give Terraform additional hints using the nonsensitive function. Of course, you should use that function sparingly to avoid inadvertently exposing something that is sensitive: the intended use of it, as illustrated in some of the doc examples, is when a complex value is inferred sensitive as a whole but you know that only parts of that structure are sensitive in practice.

This should have occurred to me sooner - part of our wrapper uses vault so project leads can alter some of the variables in the various things the wrapper sets up.

So. Yeah. :slight_smile: Thanks. :slight_smile: