fix: remove incorrect sensitive flag from cluster_identity output

lonegunmanb · lonegunmanb · commit f2fea3574fe9 · 2025-09-02T12:51:00.000+08:00
- Fix identity block in main.tf to use nonsensitive() function to prevent client_secret sensitivity from propagating to the identity block - Remove sensitive = true flag from cluster_identity output as the identity information (principal_id, tenant_id, type) is not actually sensitive data - Update NoticeOnUpgradeTov11.0.md to document this breaking change Fixes #683
diff --git a/NoticeOnUpgradeTov11.0.md b/NoticeOnUpgradeTov11.0.md
@@ -15,3 +15,9 @@ This change also affects the `node_pools` variable where `node_pools[*].enable_h
 ## `var.enable_node_public_ip` has been renamed to `var.node_public_ip_enabled`
 
 This change also affects the `node_pools` variable where `node_pools[*].enable_node_public_ip` should be replaced with `node_pools[*].node_public_ip_enabled`.
+
+## `cluster_identity` output is no longer marked as sensitive
+
+The `cluster_identity` output was incorrectly marked as `sensitive = true` due to the `identity` block referencing `var.client_secret` in its `for_each` expression. This has been fixed by using the `nonsensitive()` function, and the output is no longer marked as sensitive.
+
+**Impact**: Users who previously had to mark their outputs as sensitive when using `module.aks.cluster_identity` can now remove the `sensitive = true` flag from their outputs. The cluster identity information (principal_id, tenant_id, type) is not actually sensitive data.
diff --git a/main.tf b/main.tf
@@ -327,7 +327,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "identity" {
-    for_each = var.client_id == "" || var.client_secret == "" ? ["identity"] : []
+    for_each = var.client_id == "" || nonsensitive(var.client_secret) == "" ? ["identity"] : []
 
     content {
       type         = var.identity_type
diff --git a/outputs.tf b/outputs.tf
@@ -100,7 +100,6 @@ output "cluster_fqdn" {
 
 output "cluster_identity" {
   description = "The `azurerm_kubernetes_cluster`'s `identity` block."
-  sensitive   = true
   value       = try(azurerm_kubernetes_cluster.main.identity[0], null)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ resource "azurerm_kubernetes_cluster" "main" {`
`327`	`327`	`}`
`328`	`328`	`}`
`329`	`329`	`dynamic "identity" {`
`330`		`- for_each = var.client_id == "" \|\| var.client_secret == "" ? ["identity"] : []`
	`330`	`+ for_each = var.client_id == "" \|\| nonsensitive(var.client_secret) == "" ? ["identity"] : []`
`331`	`331`
`332`	`332`	`content {`
`333`	`333`	`type = var.identity_type`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,6 @@ output "cluster_fqdn" {`
`100`	`100`
`101`	`101`	`output "cluster_identity" {`
`102`	`102`	description = "The `azurerm_kubernetes_cluster`'s `identity` block."
`103`		`- sensitive = true`
`104`	`103`	`value = try(azurerm_kubernetes_cluster.main.identity[0], null)`
`105`	`104`	`}`
`106`	`105`