From 6391c448d774ca3eeb686aa49a48c8154b96db3b Mon Sep 17 00:00:00 2001
From: Paul Blum <32366838+paulblum00@users.noreply.github.com>
Date: Tue, 14 Jan 2025 09:22:34 +0100
Subject: [PATCH 1/2] Add nonsensitive around for_each argument

---
 role_assignments.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/role_assignments.tf b/role_assignments.tf
index 05825f98..14dde78a 100644
--- a/role_assignments.tf
+++ b/role_assignments.tf
@@ -22,7 +22,7 @@ data "azurerm_user_assigned_identity" "cluster_identity" {
 # https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
 # https://github.com/Azure/terraform-azurerm-aks/issues/178
 resource "azurerm_role_assignment" "network_contributor" {
-  for_each = var.create_role_assignment_network_contributor && (var.client_id == "" || var.client_secret == "") ? local.subnet_ids : []
+  for_each = nonsensitive(var.create_role_assignment_network_contributor && (var.client_id == "" || var.client_secret == "") ? local.subnet_ids : [])
 
   principal_id         = coalesce(try(data.azurerm_user_assigned_identity.cluster_identity[0].principal_id, azurerm_kubernetes_cluster.main.identity[0].principal_id), var.client_id)
   scope                = each.value

From 9445d203f73cfea585c85d1b351c11f12acc6a69 Mon Sep 17 00:00:00 2001
From: zjhe <lonegunmanb@hotmail.com>
Date: Wed, 26 Feb 2025 11:20:32 +0800
Subject: [PATCH 2/2] amend nonsensitive call

---
 role_assignments.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/role_assignments.tf b/role_assignments.tf
index 14dde78a..8a90d62c 100644
--- a/role_assignments.tf
+++ b/role_assignments.tf
@@ -9,7 +9,7 @@ resource "azurerm_role_assignment" "acr" {
 
 # /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/acceptanceTestResourceGroup1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testIdentity
 data "azurerm_user_assigned_identity" "cluster_identity" {
-  count = (var.client_id == "" || var.client_secret == "") && var.identity_type == "UserAssigned" ? 1 : 0
+  count = nonsensitive((var.client_id == "" || var.client_secret == "") && var.identity_type == "UserAssigned" ? 1 : 0)
 
   name                = split("/", var.identity_ids[0])[8]
   resource_group_name = split("/", var.identity_ids[0])[4]