0

Terraform version: "1.2.9"

Terraform fails with invalid value error when input variable with type list(object({})) and marked as sensitive = true is passed to dynamic block with for_each. The error is not seen when the input variable is marked as non-sensitive.

Input variable looks like below:

variable "sample_variable" {
  type = list(object({
    name = string
    description = optional(string)
    secure = optional(bool)
    type = string
    use_default = optional(bool)
    value = string
  }))
  sensitive   = true
  description = "A list of objects with sensitive values."
  default     = []
}

And is consumed in a resource dynamic block with a for_each as shown below:

resource "ibm_cloud_sample_resource" "my_resource" {
  name                     = var.name
  description              = var.description
  template_env_settings    = local.env_values
  tags                     = var.tags
  dynamic "template_inputs" {
    for_each = var.sample_variable
    content {
      name        = template_inputs.value.name
      description = template_inputs.value.description
      type        = template_inputs.value.type
      value       = template_inputs.value.value
      secure      = template_inputs.value.secure
      use_default = template_inputs.value.use_default
    }
  }
}

Error:

╷
│ Error: Invalid dynamic for_each value
│
│   on main.tf line 50, in resource "ibm_cloud_sample_resource" "my_resource":
│   50:     for_each = var.sample_variable
│     ├────────────────
│     │ var.sample_variable has a sensitive value
│
│ Cannot use a list of object value in for_each. An iterable collection is required.

Sample value from terraform.tfvars file:

sample_variable = [ 
  { name = "api_key"
    type = "string"
    value = "<sensitve_api_key_value>"
    secure = true 
  }, 
  { name = "other_variable"
    type = "string"
    value = "test_value_and_might_be_sensitive" 
  } 
]
Somnath Pathak
  • 81
  • 1
  • 9
  • What is the actual value of `var.sample_variable` that you have? Or you are using default value of `[]`? – Marcin Jan 23 '23 at 07:28
  • @Marcin The variable value passed from my `terraform.tfvars` looks something like below: ``` sample_variable = [ { name = "api_key", type = "string" value = "" secure = true }, { name = "other_variable", type = "string" value = "test_value_and_might_be_sensitive" } ] ``` – Somnath Pathak Jan 23 '23 at 07:29
  • Please update the question with properly formatted new code. – Marcin Jan 23 '23 at 07:34
  • @Marcin Could you please guide what needs to be updated in the question as I have added the brief information about the input variable definition from the `variables.tf` and its usage in my `main.tf` already. I have also added the sample value in the above answer. – Somnath Pathak Jan 23 '23 at 07:38
  • Please add `sample_variable = [ { name = "api_key", type = "string" value = "" secure = true }, { name = "other_variable", type = "string" value = "test_value_and_might_be_sensitive" } ]` to the question, not to the comments. – Marcin Jan 23 '23 at 07:39
  • @Marcin Thank you. I have added the sample value to the question. – Somnath Pathak Jan 23 '23 at 07:42

2 Answers2

3

You can't iterate over sensitive variables in dynamic blocks. The only way to make it work, is to use nonsensitive (can be dangerous!):

for_each = nonsensitive(var.sample_variable)

So its up to you to decide if you really need var.sample_variable to be sensitive or not. If it must be sensitive, you can't dynamically create your blocks and you have to re-architect your TF code to not require such an iteration.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 1
    Thank you. Yes, it seems we cannot iterate over a sensitive input variable with a `for_each` loop. Also, I could dig up some documentation around the same and have posted it below in my answer. – Somnath Pathak Jan 23 '23 at 08:06
1

As per the Terraform documentation for limitations of for_each loop, it seems we cannot iterate over sensitive input variables.

Sensitive values, such as sensitive input variables, sensitive outputs, or sensitive resource attributes, cannot be used as arguments to for_each. The value used in for_each is used to identify the resource instance and will always be disclosed in UI output, which is why sensitive values are not allowed. Attempts to use sensitive values as for_each arguments will result in an error.

This terraform GitHub issue describes the problem we are encountering with the aforementioned requirement.

Somnath Pathak
  • 81
  • 1
  • 9