Debug information in error when for_each contains values derived from sensitive values

[michaelruigrok]

Terraform Version

Terraform v1.4.0
on linux_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.15.0
+ provider registry.terraform.io/hashicorp/random v3.4.3

Use Cases

Useful when trying to resolve the error Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.

Attempted Solutions

I've had to manually follow the chain of variable usage between modules to find the initial module where the value was set to sensitive.

Proposal

The error message should include the output where data was initially marked as sensitive.

A trace of each variable/location between the source and the for_each may also be useful, but risks clogging up the error with too much irrelevant information, especially if the for_each is derived from multiple sensitive outputs.

References

Any issues about handling of sensitive data would relate to this one, especially if dealing with data derived from sensitive values.

The operation of nonsensitive() has particular weight here -- see #31693.

Current documentation on this error: https://support.hashicorp.com/hc/en-us/articles/4538432032787-Variable-has-a-sensitive-value-and-cannot-be-used-as-for-each-arguments

[crw]

Thanks for this report!

[maxhillaert]

Hi we really could use this.

I use a deep and fat module that encapsulates a complicated azurerm_mssql_server setup with half a dozen azurerm resources involved , let's call it "company-azuresql" module, and somehow a for_each on a module in my code is throwing the above error. It's really hard to find out what is causing it.

module "omps-app-ado" {
  source           = "../app-ado"
  **for_each         = { for a in var.apps : a.display_name => a }**
  

In 'a' there is a bag of variables and data to build azure devops pipelines. Within that that bag of variables there are some values sourced from a complex object I take from an output of "company-azuresql" in the root module of my terraform project

I know it's involving this complex object that I derive from this "company-azuresql" module, because if I remove the values from the 'a' , it works.

I have tried to make every single value nonsensitive but get the redundant error. I have stuck the whole bag in an output to display , but there are no sensitive values. I have scoured through the 'company-azuresql' module code looking for sensitive , but there are none.

Something somehow in is adding "sensitive" in the dependency graph and for_each picks it up. I had initially worked around it with a complicated separating a hardcoded keyset and a lookup, but then I hit similar issue inside my own module where I have a dynamic block for_each which I could not work around. (see #29744 )

I can't really use count because this would mean unacceptable re-creates of resources and the point of the work I'm doing is removing 50 copy/pasted resources by using a for_each.

I'm now ready to go through the azurerm repo to see if they add some baked-in "sensitive" value somewhere in the dozen resource types that are involved , but some kind of way to debug this would be very helpful when dealing with big dependency graphs.

I wonder if a "terraform plan --trace-sensitive" or something would work