Disallow sensitive values as for_each arguments

2020-09-04 13:28:21 -04:00 · 2020-09-04 13:28:21 -04:00 · b03d5df9dc
parent 61c78fd3b9
commit b03d5df9dc
1 changed files with 8 additions and 0 deletions
--- a/terraform/eval_for_each.go
+++ b/terraform/eval_for_each.go
@ -48,6 +48,14 @@ func evaluateForEachExpressionValue(expr hcl.Expression, ctx EvalContext) (cty.V

 	forEachVal, forEachDiags := ctx.EvaluateExpr(expr, cty.DynamicPseudoType, nil)
 	diags = diags.Append(forEachDiags)
+	if forEachVal.ContainsMarked() {
+		diags = diags.Append(&hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  "Invalid for_each argument",
+			Detail:   "Sensitive variable, or values derived from sensitive variables, cannot be used as for_each arguments. If used, the sensitive value could be exposed as a resource instance key.",
+			Subject:  expr.Range().Ptr(),
+		})
+	}
 	if diags.HasErrors() {
 		return nullMap, diags
 	}