Skip to content

feat(outputs)!: breaking change, add sensitive true to outputs + add tests #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 14, 2025
Merged

feat(outputs)!: breaking change, add sensitive true to outputs + add tests #17

merged 10 commits into from
Aug 14, 2025

Conversation

westonplatter
Copy link
Member

what

  • add basic tests for locals.tf and main.tf
  • while adding tests, I needed to updated the outputs.tf to include sensitive true.

why

tests/main.tftest.hcl... fail
  run "test_data_resource_creation_single_file"... fail
╷
│ Error: Output refers to sensitive values
│ 
│   on outputs.tf line 1:
│    1: output "all" {
│ 
│ To reduce the risk of accidentally exporting sensitive data that was intended to be only internal, OpenTofu requires that any root module output containing sensitive
│ data be explicitly marked as sensitive, to confirm your intent.
│ 
│ If you do intend to export this data, annotate the output value as sensitive by adding the following argument:
│     sensitive = true

Impacts

For any downstream root modules using this child module, they'd need to also used sensitive = true when accessing the values. In the examples/complete/outputs.tf file, we already do this, but I think this would be a breaking change?

@westonplatter westonplatter requested a review from a team as a code owner July 3, 2025 20:49
@westonplatter westonplatter requested a review from oycyc July 3, 2025 20:49
oycyc
oycyc previously approved these changes Jul 3, 2025
View reviewed changes
Copy link

@oycyc oycyc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple + straightforward!

oycyc
oycyc reviewed Jul 4, 2025
View reviewed changes
Gowiem
Gowiem reviewed Jul 4, 2025
View reviewed changes
Copy link
Member

@Gowiem Gowiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple questions, but I like that we're circling back to this module to add tests since we do use it a good bit!

outputs.tf
output "all" {
value = local.secrets
description = "The final secrets pulled from various sources."
sensitive = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You call this out as a breaking change in the PR title, but I'm not sure it is. Mind sharing why you're considering this a breaking change? It changes the output of this module, but I would just call that a feature enhancement, not a breaking change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am expecting that adding sensitive = true requires downstream child or root modules then also mark the output as sensitive. My practical concern is that users would need to make a code change on their end in order to get terraform plan/applies to run.

For example, https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#reference-sensitive-variables
CleanShot 2025-08-05 at 09 38 34@2x

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this is interesting. I wasn't aware of this behaviour, but we have to treat this as a breaking change indeed.
Screenshot 2025-08-12 at 12 01 15

@westonplatter could you please rename a PR title to reflect this: feat(outputs)!: add sensitive true to outputs + add tests), so release-please correctly generates the release.
Also, we should ensure that this is described in the release notes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@westonplatter good thinking in terms of this breaking downstream outputs, you're obviously right that this is a breaking change 💯 👍

@westonplatter westonplatter requested review from Gowiem and oycyc August 5, 2025 17:03
@westonplatter westonplatter changed the title feat(outputs): breaking change, add sensitive true to outputs + add tests feat(outputs)!: breaking change, add sensitive true to outputs + add tests Aug 12, 2025
@gberenice gberenice mentioned this pull request Aug 13, 2025
Merged
gberenice added a commit that referenced this pull request Aug 13, 2025
@gberenice
chore: update with the latest template state (#19)
5a98c66 
## what

- Update with the latest template.

## why

- Unblock existing PRs - checks are stuck.

## references

- #17
@westonplatter westonplatter merged commit 9eff666 into main Aug 14, 2025
5 checks passed
@westonplatter westonplatter deleted the feat/add-tests branch August 14, 2025 14:30
@masterpointbot masterpointbot bot mentioned this pull request Aug 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gberenice gberenice gberenice approved these changes

@Gowiem Gowiem Awaiting requested review from Gowiem

@oycyc oycyc Awaiting requested review from oycyc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@westonplatter @Gowiem @gberenice @oycyc