🤖 fix: remove incorrect sensitive flag from cluster_identity output

NoticeOnUpgradeTov11.0.md

@@ -15,3 +15,9 @@ This change also affects the `node_pools` variable where `node_pools[*].enable_h
 ## `var.enable_node_public_ip` has been renamed to `var.node_public_ip_enabled`
 
 This change also affects the `node_pools` variable where `node_pools[*].enable_node_public_ip` should be replaced with `node_pools[*].node_public_ip_enabled`.
+
+## `cluster_identity` output is no longer marked as sensitive
+
+The `cluster_identity` output was incorrectly marked as `sensitive = true` due to the `identity` block referencing `var.client_secret` in its `for_each` expression. This has been fixed by using the `nonsensitive()` function, and the output is no longer marked as sensitive.
+
+**Impact**: Users who previously had to mark their outputs as sensitive when using `module.aks.cluster_identity` can now remove the `sensitive = true` flag from their outputs. The cluster identity information (principal_id, tenant_id, type) is not actually sensitive data.

main.tf

@@ -327,7 +327,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "identity" {
-    for_each = var.client_id == "" || var.client_secret == "" ? ["identity"] : []
+    for_each = var.client_id == "" || nonsensitive(var.client_secret) == "" ? ["identity"] : []
 
     content {
       type         = var.identity_type

outputs.tf

@@ -100,7 +100,6 @@ output "cluster_fqdn" {
 
 output "cluster_identity" {
   description = "The `azurerm_kubernetes_cluster`'s `identity` block."
-  sensitive   = true
   value       = try(azurerm_kubernetes_cluster.main.identity[0], null)
 }