From 4bd939e70fd9b5aa532bb53b1008b4695849882f Mon Sep 17 00:00:00 2001 From: hezijie Date: Tue, 2 Sep 2025 10:58:59 +0800 Subject: [PATCH] fix: remove incorrect sensitive flag from cluster_identity output - Fix identity block in main.tf to use nonsensitive() function to prevent client_secret sensitivity from propagating to the identity block - Remove sensitive = true flag from cluster_identity output as the identity information (principal_id, tenant_id, type) is not actually sensitive data - Update NoticeOnUpgradeTov11.0.md to document this breaking change Fixes #683 --- NoticeOnUpgradeTov11.0.md | 6 ++++++ main.tf | 2 +- outputs.tf | 1 - 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/NoticeOnUpgradeTov11.0.md b/NoticeOnUpgradeTov11.0.md index 2386d510..001f99e6 100644 --- a/NoticeOnUpgradeTov11.0.md +++ b/NoticeOnUpgradeTov11.0.md @@ -15,3 +15,9 @@ This change also affects the `node_pools` variable where `node_pools[*].enable_h ## `var.enable_node_public_ip` has been renamed to `var.node_public_ip_enabled` This change also affects the `node_pools` variable where `node_pools[*].enable_node_public_ip` should be replaced with `node_pools[*].node_public_ip_enabled`. + +## `cluster_identity` output is no longer marked as sensitive + +The `cluster_identity` output was incorrectly marked as `sensitive = true` due to the `identity` block referencing `var.client_secret` in its `for_each` expression. This has been fixed by using the `nonsensitive()` function, and the output is no longer marked as sensitive. + +**Impact**: Users who previously had to mark their outputs as sensitive when using `module.aks.cluster_identity` can now remove the `sensitive = true` flag from their outputs. The cluster identity information (principal_id, tenant_id, type) is not actually sensitive data. diff --git a/main.tf b/main.tf index 3b33b676..126b46b6 100644 --- a/main.tf +++ b/main.tf @@ -327,7 +327,7 @@ resource "azurerm_kubernetes_cluster" "main" { } } dynamic "identity" { - for_each = var.client_id == "" || var.client_secret == "" ? ["identity"] : [] + for_each = var.client_id == "" || nonsensitive(var.client_secret) == "" ? ["identity"] : [] content { type = var.identity_type diff --git a/outputs.tf b/outputs.tf index e3d37ce7..635e656f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -100,7 +100,6 @@ output "cluster_fqdn" { output "cluster_identity" { description = "The `azurerm_kubernetes_cluster`'s `identity` block." - sensitive = true value = try(azurerm_kubernetes_cluster.main.identity[0], null) }