From 425c6bead2bf6c9c12fd828264523b8de3c07d4b Mon Sep 17 00:00:00 2001 From: James Bardin Date: Mon, 20 Mar 2023 13:27:53 -0400 Subject: [PATCH] store non-root sensitive outputs in state Module outputs are evaluated from state, so in order to have detailed information about sensitivity from non-root module outputs, we need to store the value along with all sensitive marks. This aligns with the usage of state being the in-memory store for other temporary values like locals and variables. --- internal/terraform/node_output.go | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/internal/terraform/node_output.go b/internal/terraform/node_output.go index af60c95691..82fe534135 100644 --- a/internal/terraform/node_output.go +++ b/internal/terraform/node_output.go @@ -605,18 +605,13 @@ func (n *NodeApplyableOutput) setValue(state *states.SyncState, changes *plans.C // out here and then we'll save the real unknown value in the planned // changeset, if we have one on this graph walk. log.Printf("[TRACE] setValue: Saving value for %s in state", n.Addr) - sensitive := n.Config.Sensitive - unmarkedVal, valueMarks := val.UnmarkDeep() - // If the evaluated value contains sensitive marks, the output has no - // choice but to declare itself as "sensitive". - for mark := range valueMarks { - if mark == marks.Sensitive { - sensitive = true - break - } + // non-root outputs need to keep sensitive marks for evaluation, but are + // not serialized. + if n.Addr.Module.IsRoot() { + val, _ = val.UnmarkDeep() + val = cty.UnknownAsNull(val) } - stateVal := cty.UnknownAsNull(unmarkedVal) - state.SetOutputValue(n.Addr, stateVal, sensitive) + state.SetOutputValue(n.Addr, val, n.Config.Sensitive) }