Introduction of password {} block in v2.53.0 for azuread_application forces sensitive = true on output even when not utilized

[philmph]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Running on Terraform Cloud hosted runner

Terraform v1.8.5
on linux_amd64

Updating via Renovate Bot chore(deps): update terraform azuread to v2.53.0:

Package	Type	Update	Change
azuread (source)	required_provider	minor	2.52.0 -> 2.53.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

I am running a module which deploys apps + spns + secrets. The module is called by different environments with the respective root module. The azuread_application does NOT utilize the new password block.

variables.tf

variable "service_principals" {
  description = "The Service Principals to create."
  type = map(object({
    create_password = optional(bool, false)
    display_name    = string
    description     = string

    required_resource_access = optional(list(object({
      resource_app_id = string
      resource_access = list(object({
        id   = string
        type = string
      }))
    })), [])
  }))
}

main.tf

resource "azuread_application" "this" {
  for_each = var.service_principals

  display_name = each.value.display_name
  description  = each.value.description

  owners = local.owners

  # Required resource access
  dynamic "required_resource_access" {
    # for_each = each.value.required_resource_access
    for_each = { for i, o in each.value.required_resource_access : o.resource_app_id => o }

    content {
      resource_app_id = required_resource_access.value.resource_app_id

      dynamic "resource_access" {
        for_each = { for i, o in required_resource_access.value.resource_access : o.id => o }

        content {
          id   = resource_access.value.id
          type = resource_access.value.type
        }
      }
    }
  }
}

locals {
  azuread_applications_with_password = {
    for k, v in azuread_application.this : k => v if var.service_principals[k].create_password
  }
}

resource "azuread_application_password" "this" {
  for_each = local.azuread_applications_with_password

  application_id = each.value.id
  display_name   = "Managed by Terraform"
}

...

azuread_application_password is NOT a defined output (the module also handles directly adding the secret to f.e. Key Vault and TFE Workspaces without human interaction but i omitted the code as it is not relevant)

outputs.tf

output "applications" {
  description = "Relevant infos of generated Application Registrations."
  value       = azuread_application.this
}

Debug Output

Only relevant part from the root module calling the module using the azuread_application resource without password block:

{"@level":"error","@message":"Error: Output refers to sensitive values","@module":"terraform.ui","@timestamp":"2024-06-28T09:24:18.003275Z","diagnostic":{"severity":"error","summary":"Output refers to sensitive values","detail":"To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output containing sensitive data be explicitly marked as sensitive, to confirm your intent.\n\nIf you do intend to export this data, annotate the output value as sensitive by adding the following argument:\n    sensitive = true","range":{"filename":"outputs.tf","start":{"line":1,"column":1,"byte":0},"end":{"line":1,"column":36,"byte":35}},"snippet":{"context":null,"code":"output \"managed_entraid_identities\" {","start_line":1,"highlight_start_offset":0,"highlight_end_offset":35,"values":[]}},"type":"diagnostic"}

Human readable (hopefully)

Error: Output refers to sensitive values
on outputs.tf line 1:
output "managed_entraid_identities" {
To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, Terraform requires that any root module output containing sensitive data be explicitly marked as sensitive, to confirm your intent.

If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
sensitive = true

Panic Output

Expected Behavior

Terraform doesn't force me to chain sensitive = true for existing deployments which don't use the password block in resource azuread_application.

Actual Behavior

Run exists with 1 because output is not marked as sensitive = true while not using the new password block.

Steps to Reproduce

1. Upgrade from v.2.52.0 to v2.53.0
2. Run terraform plan

Important Factoids

References

• #1389

[manicminer]

Thanks for reporting this @philmph, we should have a fix out for this shortly.

[manicminer]

@philmph Appreciate the detailed report. A patch release v2.53.1 is on its way out and should be available shortly.

[philmph]

Thanks @manicminer for the immediate response and fix - No more issues after Renovate update to v2.53.1 :)