Howdy!
I’ve just started doing updates from 0.14 to 1.0 and I’m running into a perplexing issue and I’m uncertain if this is intended. We use q wrapper module for creating github repositories that sets some preferred defaults, etc. and when planning I’m getting output saying pretty much every attribute is being marked sensitive - which makes very little sense.
Looking at the provider source, nothing in the github_repository schema is marked sensitive. Any ideas if I’m doing something wrong?
Hi @dbolack,
A value in Terraform can be sensitive either if it’s marked as sensitive directly itself or if the expression that built it referred to other sensitive values. Terraform’s ability to track sensitive values through expressions improved between v0.14 and v1.0 and so my best guess, without specific examples to refer to, is that those attributes are defined from something else in the configuration that is marked as sensitive, and so the sensitiveness is “infecting” them transitively.
If Terraform’s sensitivity inference is being too conservative in your situation then you can give Terraform additional hints using the nonsensitive function. Of course, you should use that function sparingly to avoid inadvertently exposing something that is sensitive: the intended use of it, as illustrated in some of the doc examples, is when a complex value is inferred sensitive as a whole but you know that only parts of that structure are sensitive in practice.
This should have occurred to me sooner - part of our wrapper uses vault so project leads can alter some of the variables in the various things the wrapper sets up.
So. Yeah. 
Thanks.
I encountered the same error with a GitHub-triggered TF Cloud Workspace.
Error: Output refers to sensitive values
I couldn’t determine how the value became “infected” with the sensitive label. It’s certainly not a secret, just a domain name. The error refers to an output of the root module. The value is from an output of a module that’s used in the same root module, but the value is never marked sensitive in any module.
I’m seeing several recurrences of the same sensitive value error in the same root module. I’m able to workaround most of them with the nonsensitive() function wrapping the root module output values. However, one of the values that is marked sensitive for an unknown reason is not a string value, and so I can not use nonsensitive() to workaround that one.