Test whether a value is sensitive

[linyinfeng]

Terraform Version

Terraform v1.7.0-dev
on linux_amd64

Use Cases

I have some submodules hosts.HOSTNAME, and want to extract all non-sensitive values from the outputs of these submodules to a non-sensitive output of my rout module, as in the following pseudocode.

output "hosts_non_sensitive" {
  value = {
    for host, outputs in module.hosts :
    host => {
      for name, output in outputs :
      name => output if !issensitive(output)
    }
  }
  sensitive = false
}

I need this hosts_non_sensitive because I want to use terraform output and jq to extract all non-sensitive values from outputs and use them in my NixOS configuration. I use a jq program like this to extract non-sensitive outputs:

with_entries(
    select(
        .value.sensitive == false
    ) |
    .value |= .value
)

Attempted Solutions

Before terraform 1.7.0. I use can(nonsensitive(output)) to test whether a value is sensitive, and it works perfectly. This solution no longer works after terraform 1.7.0 with #33856.

https://github.com/linyinfeng/dotfiles/blob/2ebd6bf740390229f35afed3711f11e6268ccb7f/terraform/hosts.tf#L200-L209

output "hosts_non_sensitive" {
  value = {
    for host, outputs in module.hosts :
    host => {
      for name, output in outputs :
      name => output if !can(nonsensitive(output))
    }
  }
  sensitive = false
}

After terraform 1.7.0, this no longer works, since after #33856, nonsensitive no longer produces an error when applied to nonsensitive values.

The pull request says:

This PR should not cause breaking behaviours, as it is enabling a behaviour that wasn't allowed before.

This is wrong because whether an expression produces an error is observable in terraform since the language features a can function:

can evaluates the given expression and returns a boolean value indicating whether the expression produced a result without any errors.

Proposal

An issenstive function. issensitive(e) evaluates e, returns true when the value of e is sensitive, otherwise returns false. issenstive(_) should have the same semantics as can(nonsensitive(_)) (before #33856).

Or, a function like redactsensitive or stripsensitive, as proposed in #27812 (comment) and #27812 (comment), which recurses into an object, replace all sensitive values to null.

References

• Filter Sensitive Outputs from Module #27812
• Variable with sensitive fields makes the full object sensitive #28222

[crw]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

[awilkins]

Hi there! @DanielMSchmidt

Sadly this branch breaks the ability to check out the source tree on Windows because the doc path has a space at the end.

PS C:\Users\dr_ba\src\terraform> git checkout main
error: invalid path 'website/docs/language/functions/issensitive.mdx '

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.