Document sensitivity + function call behavior

2020-12-14 15:38:47 -05:00 · 2020-12-14 15:38:47 -05:00 · d7f3239c51
parent 9ac8e3c55e
commit d7f3239c51
1 changed files with 20 additions and 0 deletions
--- a/website/docs/configuration/expressions/function-calls.html.md
+++ b/website/docs/configuration/expressions/function-calls.html.md
@ -48,6 +48,26 @@ min([55, 2453, 2]...)
 The expansion symbol is three periods (`...`), not a Unicode ellipsis character
 (`…`). Expansion is a special syntax that is only available in function calls.

+## Using Sensitive Data as Function Arguments
+
+When using sensitive data, such as [an input variable](https://www.terraform.io/docs/configuration/variables.html#suppressing-values-in-cli-output)
+or [an output defined](https://www.terraform.io/docs/configuration/outputs.html#sensitive-suppressing-values-in-cli-output) as sensitive
+as function arguments, the result of the function call will be marked as sensitive.
+
+This is a conservative behavior that is true irrespective of the function being
+called. For example, passing an object containing a sensitive input variable to
+the `keys()` function will result in a list that is sensitive:
+
+```shell
+> local.baz
+{
+  "a" = (sensitive)
+  "b" = "dog"
+}
+> keys(local.baz)
+(sensitive)
+```
+
 ## When Terraform Calls Functions

 Most of Terraform's built-in functions are, in programming language terms,