Why is MapNestedAttribute keys showing as `sensitive_values` in state?

:wave:

I’m using the new Framework Plugin and I’ve noticed that a MapNestedAttribute is showing as hidden elements when executing terraform show.

Here is my schema:

"domains": schema.MapNestedAttribute{
	MarkdownDescription: "...",
	Required:            true,
	NestedObject: schema.NestedAttributeObject{
		Attributes: map[string]schema.Attribute{
			"name": schema.StringAttribute{
				MarkdownDescription: "...",
				Required:            true,
			},
			"comment": schema.StringAttribute{
				MarkdownDescription: "...",
				Optional:            true,
			},
		},
	},
},

It wasn’t until I marshalled that data into json that it revealed they were marked as ‘sensitive’ data. It’s unclear why though.

terraform show -json | jq '.values.root_module.resources' | jq '.[0].sensitive_values'
{
  "domains": {
    "example-1": {},
    "example-2": {}
  }
}

Can anyone explain this?

Thanks!

Hi @Integralist :wave:

Thank you for raising this.
I am able to reproduce the issue you describe.

I am unable to explain this and have raised the issue as a potential bug on the Terraform core repository - MapNestedAttribute appearing as sensitive_values in state.

1 Like

(Copying my reply to the linked GitHub issue…)

This doesn’t represent a bug in Terraform functionality, but I can see that it’s confusing. The JSON plan output for sensitive_values is not very clearly documented.

{
  "domains": {
    "example-1": {},
    "example-2": {}
  }
}

This output means that nothing in the associated value is sensitive, as there are no instances of true anywhere in this structure. For a value to be considered sensitive, there must be a corresponding true value at the appropriate location.

While Terraform could prune this output, the current implementation does not, and all of our tools which consume this format handle it correctly.