for_each rejects secrets as map values

[piotr-jagiello]

Propagation of "sensitive" property is sometimes overzealous, so resources can't be constructed with for_each from a map that has sensitive values, but not sensitive keys.

Terraform Version

Terraform v0.15.3
on linux_amd64

Terraform Configuration Files

locals {
    global_secrets = {
        password = sensitive("aaaaaa")
    }
    service_specific_secrets = {
        unrelated_service = {
            unrelated_password = sensitive("bbbbb")
        }
    }

    service_a_secrets = merge(local.global_secrets, lookup(local.service_specific_secrets, "service_a", {}))
}

resource "null_resource" "service_a_secrets" {
    for_each = local.service_a_secrets
    provisioner "local-exec" {
        command = "echo '${each.key}: saving the secret safely'"
    }
}

Debug Output

Crash Output

Expected Behavior

Terraform should create the resource.

Actual Behavior

It throws an error:

│ Error: Invalid for_each argument
│ 
│   on test.tf line 15, in resource "null_resource" "service_a_secrets":
│   15:     for_each = local.service_a_secrets
│     ├────────────────
│     │ local.service_a_secrets has a sensitive value
│ 
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.
╵

Steps to Reproduce

1. terraform init
2. terraform apply

Additional Context

References

similar to #28426

[piotr-jagiello]

@alisdair

[alisdair]

Copying my note from the linked issue:

In this case the problem is the lookup function, which was fixed in cty to fully support sensitivity marks in zclconf/go-cty#98, but I didn't notice that Terraform has its own implementation of lookup. We need to make the same improvements here.

[alisdair]

Thanks again for reporting this, @piotr-jagiello! The linked PR #28644 fixes this:

$ tf apply -auto-approve
null_resource.service_a_secrets["password"]: Creating...
null_resource.service_a_secrets["password"]: Provisioning with 'local-exec'...
null_resource.service_a_secrets["password"] (local-exec): Executing: ["/bin/sh" "-c" "echo 'password: saving the secret safely'"]
null_resource.service_a_secrets["password"] (local-exec): password: saving the secret safely
null_resource.service_a_secrets["password"]: Creation complete after 0s [id=4410171153199759786]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.