🐛 When trying to apply core resources, I'm getting errors due apparently sensitive values

[c4milo]

Run through Terraform Cloud:

Plan: 15 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/locals.policy_assignments.tf line 89, in data "azurerm_policy_set_definition" "external_lookup":
│   89:   for_each = local.azurerm_policy_set_definition_external_lookup
│     ├────────────────
│     │ local.azurerm_policy_set_definition_external_lookup has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.connectivity.tf line 2, in resource "azurerm_resource_group" "connectivity":
│    2:   for_each = local.azurerm_resource_group_connectivity
│     ├────────────────
│     │ local.azurerm_resource_group_connectivity has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.management.tf line 2, in resource "azurerm_resource_group" "management":
│    2:   for_each = local.azurerm_resource_group_management
│     ├────────────────
│     │ local.azurerm_resource_group_management has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.management_groups.tf line 115, in resource "azurerm_management_group_subscription_association" "enterprise_scale":
│  115:   for_each = local.azurerm_management_group_subscription_association_enterprise_scale
│     ├────────────────
│     │ local.azurerm_management_group_subscription_association_enterprise_scale has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.policy_definitions.tf line 2, in resource "azurerm_policy_definition" "enterprise_scale":
│    2:   for_each = local.azurerm_policy_definition_enterprise_scale
│     ├────────────────
│     │ local.azurerm_policy_definition_enterprise_scale has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.role_definitions.tf line 2, in resource "azurerm_role_definition" "enterprise_scale":
│    2:   for_each = local.azurerm_role_definition_enterprise_scale
│     ├────────────────
│     │ local.azurerm_role_definition_enterprise_scale has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.
╵
╷
│ Error: Invalid for_each argument
│
│   on .terraform/modules/alz/resources.virtual_wan.tf line 2, in resource "azurerm_resource_group" "virtual_wan":
│    2:   for_each = local.azurerm_resource_group_virtual_wan
│     ├────────────────
│     │ local.azurerm_resource_group_virtual_wan has a sensitive value
│
│ Sensitive values, or values derived from sensitive values, cannot be used as for_each arguments. If used, the
│ sensitive value could be exposed as a resource instance key.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

module: 5.0.0 terraform:

❯ terraform version
Terraform v1.6.3
on darwin_arm64
+ provider registry.terraform.io/azure/azapi v1.10.0
+ provider registry.terraform.io/hashicorp/azurerm v3.79.0
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/tfe v0.49.2
+ provider registry.terraform.io/hashicorp/time v0.9.1

I got the same result when testing with v1.3.1.

[matt-FFFFFF]

Hi,

How have you configured variables in TFC?

Are any of them marked as secret?

[c4milo]

Hey @matt-FFFFFF, none of them are tagged as sensitive, and no variables have been set directly from TFC.

# Use variables to customize the deployment
variable "root_id" {
  type        = string
  description = "Sets the value used for generating unique resource naming within the module."
}

variable "root_name" {
  type        = string
  description = "Sets the value used for the \"intermediate root\" management group display name."
  default     = "Redpanda"
}

variable "primary_location" {
  type        = string
  description = "Sets the location for \"primary\" resources to be created in."
  default     = "eastus2"
}

variable "secondary_location" {
  type        = string
  description = "Sets the location for \"secondary\" resources to be created in."
  default     = "eastus"
}

variable "subscription_id_identity" {
  type        = string
  description = "Subscription ID to use for \"identity\" resources."
  default     = ""
}

variable "core_resources_tags" {
  type        = map(string)
  description = "Specify tags to add to \"core\" resources."
}

terraform.auto.tfvars

root_id                  = "redpanda"
root_name                = "Redpanda"
primary_location         = "eastus2"
secondary_location       = "eastus"
subscription_id_identity = "hidden"
core_resources_tags = {
  redpanda-org = "azure-governance"
}

[c4milo]

This is how we are using the module:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.79.0"
    }
  }

  cloud {
    organization = "redpanda-data"

    workspaces {
      name = "corp-infra-azure-core"
    }
  }
}

# Define the provider configuration
provider "azurerm" {
  features {}
  skip_provider_registration = true
}

# Get the current client configuration from the AzureRM provider.
data "azurerm_client_config" "current" {}

module "alz" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "5.0.0"

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  # Base module configuration settings
  root_parent_id   = data.azurerm_client_config.current.tenant_id
  root_id          = var.root_id
  root_name        = var.root_name
  library_path     = "${path.module}/lib"
  default_location = var.primary_location
  default_tags     = var.core_resources_tags
  # Enable creation of the core management group hierarchy
  # and additional custom_landing_zones
  deploy_core_landing_zones = true
  custom_landing_zones      = local.custom_landing_zones

  deploy_corp_landing_zones   = false
  deploy_online_landing_zones = false
  deploy_sap_landing_zones    = false
  deploy_demo_landing_zones   = false

  # Configuration settings for identity resources is
  # bundled with core as no resources are actually created
  # for the identity subscription
  deploy_identity_resources    = true
  configure_identity_resources = local.configure_identity_resources
  subscription_id_identity     = var.subscription_id_identity

  # The following inputs ensure that managed parameters are
  # configured correctly for policies relating to connectivity
  # resources created by the connectivity module instance and
  # to map the subscription to the correct management group,
  # but no resources are created by this module instance
  deploy_connectivity_resources    = false
  configure_connectivity_resources = data.tfe_outputs.connectivity.values.configuration
  subscription_id_connectivity     = data.tfe_outputs.connectivity.values.subscription_id

  # The following inputs ensure that managed parameters are
  # configured correctly for policies relating to management
  # resources created by the management module instance and
  # to map the subscription to the correct management group,
  # but no resources are created by this module instance
  deploy_management_resources    = false
  configure_management_resources = data.tfe_outputs.management.values.configuration
  subscription_id_management     = data.tfe_outputs.management.values.subscription_id
}

[c4milo]

ohh, this is being caused by https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/outputs

[c4milo]

I just changed it to use nonsensitive_values and it works! sorry for the noise!