set_sensitive Breaks Manifest Display, Showing a Wall of (sensitive value 46b9dd2b0ba88d13)

[vidbregar]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: v1.9.3
Provider version: 2.16.1
Kubernetes version: 1.31.1-gke.1678000

Affected Resource(s)

• helm_release

Terraform Configuration Files

variable "api_keys" {
  type      = list(string)
  sensitive = true
  default   = []
}

variable "gcp_project_name" {
  type    = string
  default = "example"
}

resource "helm_release" "example" {
  name             = "example"
  repository       = "https://helm.github.io/examples"
  chart            = "hello-world"
  namespace        = "example"
  create_namespace = true
  atomic           = true
  wait             = true
  force_update     = false

  set_sensitive {
    name  = "example"
    value = join("\\,", var.api_keys)
  }
}

terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = "2.16.1"
    }
  }
}

provider "helm" {
  debug = false
  kubernetes {
    host                   = "https://${data.google_container_cluster.gke.endpoint}"
    token                  = data.google_client_config.provider.access_token
    cluster_ca_certificate = base64decode(data.google_container_cluster.gke.master_auth.0.cluster_ca_certificate)
  }
  experiments {
    manifest = true
  }
}

data "google_container_cluster" "gke" {
  name     = "example"
  project  = var.gcp_project_name
  location = "example"
}

data "google_client_config" "provider" {}

Debug Output

https://gist.github.com/vidbregar/0c80f4c003b585d165829a8ac592657c

Steps to Reproduce

1. api_keys variable must be set to []
2. terraform plan

Expected Behavior

Plan should display the manifest.

Actual Behavior

Each character of the displayed manifest is surrounded with (sensitive value 46b9dd2b0ba88d13).

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[vidbregar]

Workaround: Replace set_sensitive with:

dynamic "set_sensitive" {
  for_each = nonsensitive(length(var.api_keys)) > 0 ? [1] : []
  content {
    name  = "example"
    value = join("\\,", var.api_keys)
  }
}