Tf 1.7.5 test : The value for variable could not be serialized to store in the plan: value has marks, so it cannot be serialized

Hello,

I’m fighting with my Terraform test code without any success in making it working, despite my reading of Using sensitive values in subsequent run blocks of terraform test not possible: value has marks · Issue #34185 · hashicorp/terraform · GitHub so requesting your kind help.
I don’t manage to pass a secret from a run block to another (2 different modules) in Terraform test

Basically my context is as follow (simplified):
Terraform v1.7.5 on windows_amd64

serviceprincipal/main.tf

variable "owners" {
  type = list(string)
}

variable "secret_keys" {
  type = list(string)
}

resource "azuread_application" "app_registration" {
  display_name     = "myapp"
  identifier_uris  = ["http://${local.name}.example.com"]
  owners           = [ var.owners ]
  sign_in_audience = "AzureADMyOrg"
}

resource "azuread_application_password" "app_secret" {
  for_each = toset(var.secret_keys)

  application_id = azuread_application.app_registration.id
  display_name   = each.key
}

output "app_secret_by_key" {
  value       = azuread_application_password.app_secret
  sensitive   = true
}

testedmodule/main.tf

variable "service_principal" {
  type = object({
    app_secret = object({
      key_id = string
      value  = string # This is the sensitive data
    })
  })
  sensitive = true
}
# ...

testedmodule/tests/unit.tftest.hcl

run "setup_serviceprincipal" {
  command = apply

  variables {
    owners = [
      # Useless stuff...
    ]
    secret_purposes = [ "mysecret" ]
  }

  module {
    source = "../serviceprincipal"
  }
}

run "testedmodule" {
  command = apply

  variables {
    service_principal = {
      app_secret = run.setup_serviceprincipal.app_secret_by_key[ "mysecret" ]
    }
  }

  # assert {...  

When I run the “terraform init” then “terraform test”, it gives me:

$ terraform test
tests\unit.tftest.hcl... in progress
  run "setup_serviceprincipal"... pass
  run "testedmodule"... fail
╷
│ Error: Failed to prepare variable value for plan
│
│ The value for variable "service_principal" could not be serialized to store in the plan: value has marks, so it cannot be
│ serialized.

Am I doing something wrong :confused:?

Note: If I’m changing the app_secret = run.setup_serviceprincipal.app_secret_by_key[ "mysecret" ] part to an hardcoded value, it works

Hi @sebastien.latre,

This error message suggests a bug in Terraform, because it’s failing trying to do something that should not need to happen: serializing a value that’s marked as “sensitive”. Terraform is supposed to extract those markings and store them in a separate way, because the internal format for saving values cannot represent sensitive values directly.

Would you mind reporting this as a bug in the main Terraform GitHub repository? That way the Terraform Core team are more likely to find it and can hopefully suggest a workaround and also fix this for a future Terraform version.

Hello @apparentlymart, thanks for your quick feedback!

I have opened the issue Tf 1.7 test : The value for variable could not be serialized to store in the plan: value has marks, so it cannot be serialized · Issue #35011 · hashicorp/terraform · GitHub.