Skip to content

🤖 fix: remove incorrect sensitive flag from cluster_identity output #698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2025
Merged

🤖 fix: remove incorrect sensitive flag from cluster_identity output #698

merged 1 commit into from
Sep 2, 2025

Conversation

@lonegunmanb
Copy link
Member

@lonegunmanb lonegunmanb commented Sep 2, 2025

Description

This PR fixes issue #683 where the cluster_identity output was incorrectly marked as sensitive, forcing users to mark their own outputs as sensitive unnecessarily.

Changes Made

  • main.tf: Updated the identity dynamic block to use nonsensitive(var.client_secret) in the for_each expression to prevent sensitivity propagation
  • outputs.tf: Removed sensitive = true flag from the cluster_identity output
  • NoticeOnUpgradeTov11.0.md: Added documentation for this breaking change

Root Cause

The issue occurred because the identity block's for_each expression referenced var.client_secret, which is marked as sensitive. This caused Terraform to treat the entire identity block as sensitive, even though the identity information (principal_id, tenant_id, type) is not actually sensitive data.

Impact

  • Breaking Change: Users who previously had to mark their outputs as sensitive when using module.aks.cluster_identity can now remove the sensitive = true flag
  • Improved UX: Users no longer need to unnecessarily mark outputs as sensitive
  • Terraform Best Practices: Aligns with proper handling of sensitivity in Terraform

Testing

  • ✅ Pre-commit checks passed
  • ✅ Terraform validation passed
  • ✅ Linting checks passed

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix that would cause existing functionality to not work as expected)

Fixes #683

This PR was composed by GitHub Copilot agent as part of automated issue resolution.

@lonegunmanb
fix: remove incorrect sensitive flag from cluster_identity output
4bd939e 
- Fix identity block in main.tf to use nonsensitive() function to prevent
  client_secret sensitivity from propagating to the identity block
- Remove sensitive = true flag from cluster_identity output as the identity
  information (principal_id, tenant_id, type) is not actually sensitive data
- Update NoticeOnUpgradeTov11.0.md to document this breaking change

Fixes #683
@lonegunmanb lonegunmanb changed the title 🤖 fix: remove incorrect sensitive flag from cluster_identity output 🤖 fix: remove incorrect sensitive flag from cluster_identity output Sep 2, 2025
jiaweitao001
jiaweitao001 approved these changes Sep 2, 2025
View reviewed changes
Copy link
Collaborator

@jiaweitao001 jiaweitao001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 LGTM

@lonegunmanb lonegunmanb merged commit f2fea35 into main Sep 2, 2025
5 checks passed
@github-project-automation github-project-automation bot moved this from Todo to Done in Azure Module Kanban Sep 2, 2025
@lonegunmanb lonegunmanb deleted the bugfix/683 branch September 2, 2025 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiaweitao001 jiaweitao001 jiaweitao001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Azure Module Kanban
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

identity has been marked as sensitive incorrectly

3 participants

@lonegunmanb @jiaweitao001