Getting "Error: Output refers to sensitive values" like in issue #163
mattdecorniquet opened this issue · 2 comments
TL;DR
Getting "Error: Output refers to sensitive values" like in issue #163 while running terragrunt plan despite no changes since last successful apply.
Expected behavior
I expected to validate the plan output before trying to update module dependencies, provider and terraform to latest versions.
Observed behavior
I received the following error:
╷
│ Error: Output refers to sensitive values
│
│ on outputs.tf line 22:
│ 22: output "instances_details" {
│
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│ sensitive = true
Terraform Configuration
instance config:
locals {
env_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
gcp_project = local.env_vars.locals.gcp_project
gcp_region = local.env_vars.locals.gcp_region
}
terraform {
source = "git@github.com:terraform-google-modules/terraform-google-vm.git//modules/compute_instance?ref=v7.7.0"
}
include {
path = find_in_parent_folders()
}
dependencies {
paths = ["../vpc", "../instance-template"]
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "instance-template" {
config_path = "../instance-template"
}
inputs = {
project_id = local.gcp_project
region = local.gcp_region
network = dependency.vpc.outputs.network_name
subnetwork = dependency.vpc.outputs.subnets_names[0]
hostname = "vmagent-${local.gcp_project}"
instance_template = dependency.instance-template.outputs.self_link
}provider config:
provider "google" {
region = "${local.gcp_region}"
version = "~>4.17.0"
project = "${local.gcp_project}"
}
### Terraform Version
```sh
Terraform v0.15.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/github v5.8.0
+ provider registry.terraform.io/hashicorp/google v4.17.0
+ provider registry.terraform.io/hashicorp/google-beta v4.17.0
+ provider registry.terraform.io/hashicorp/local v1.4.0
Additional information
Downgrading to a module version before 7.0.0 which does have the sensitive = true code fixes the issue.
So I'm not sure how this is happening but it's basically #163 again.
I've looked into my dependencies to see if maybe something sensitive was injected but I don't think that's the case.
I hope you can help shine a light on this puzzle !
Thanks
It can be fixed by generating new outputs.tf file with adding "sensitive = true" to the block. But when you describe your terragrunt.hcl it really doesn't look nice. You don't want to paste it into your code, but I didn't find any better solution.
generate "outputs" {
path = "outputs.tf"
if_exists = "overwrite"
contents = <<EOF
output "instances_self_links" {
description = "List of self-links for compute instances"
value = google_compute_instance_from_template.compute_instance.*.self_link
}
output "instances_details" {
description = "List of all details for compute instances"
value = google_compute_instance_from_template.compute_instance.*
sensitive = true
}
output "available_zones" {
description = "List of available zones in region"
value = data.google_compute_zones.available.names
}
EOF
}
I understand that it did for working with some old terraform versions, see - #193.
Now actual version of terraform is 1.3.5, but we still support this legacy. Maybe it's right although not as convenient.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days