Splat operator with sensitive values panics: "value is marked, so must be unmarked first"

[woz5999]

Terraform Version

Terraform v0.14.3

Terraform Configuration Files

variable "secret" {
  type = string
  sensitive = true
  default = "mysecret"
}

locals {
  a_map = {
    key_1 = {
      v = "foo"
    }
    key_2 = {
      v = "bar"
    }
  }

  a_sensitive_map = {
    key_1 = {
      v = var.secret
    }
    key_2 = {
      v = "bar"
    }
  }

  no_crash_local = flatten(values(local.a_map).*.v)
  crash_local = flatten(values(local.a_sensitive_map).*.v)
}

Crash Output

2020/12/17 15:26:28 [INFO] Terraform version: 0.14.3  
2020/12/17 15:26:28 [INFO] Go runtime version: go1.15.2
2020/12/17 15:26:28 [INFO] CLI args: []string{"/usr/local/bin/terraform", "plan"}
2020/12/17 15:26:28 [DEBUG] Attempting to open CLI config file: /Users/jeffwozniak/.terraformrc
2020/12/17 15:26:28 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/12/17 15:26:28 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2020/12/17 15:26:28 [DEBUG] ignoring non-existing provider search directory /Users/jeffwozniak/.terraform.d/plugins
2020/12/17 15:26:28 [DEBUG] ignoring non-existing provider search directory /Users/jeffwozniak/Library/Application Support/io.terraform/plugins
2020/12/17 15:26:28 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2020/12/17 15:26:28 [INFO] CLI command args: []string{"plan"}
2020/12/17 15:26:28 [TRACE] Meta.Backend: no config given or present on disk, so returning nil config
2020/12/17 15:26:28 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory
2020/12/17 15:26:28 [DEBUG] New state was assigned lineage "3d14b904-8a51-9847-dab6-3adb8db60db3"
2020/12/17 15:26:28 [TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
2020/12/17 15:26:28 [TRACE] Meta.Backend: instantiated backend of type <nil>
2020/12/17 15:26:28 [DEBUG] checking for provisioner in "."
2020/12/17 15:26:28 [DEBUG] checking for provisioner in "/usr/local/bin"
2020/12/17 15:26:28 [INFO] Failed to read plugin lock file .terraform/plugins/darwin_amd64/lock.json: open .terraform/plugins/darwin_amd64/lock.json: no such file or directory
2020/12/17 15:26:28 [TRACE] Meta.Backend: backend <nil> does not support operations, so wrapping it in a local backend
2020/12/17 15:26:28 [INFO] backend/local: starting Plan operation
2020/12/17 15:26:28 [TRACE] backend/local: requesting state manager for workspace "default"
2020/12/17 15:26:28 [TRACE] backend/local: state manager for workspace "default" will:
 - read initial snapshot from terraform.tfstate
 - write new snapshots to terraform.tfstate
 - create any backup at terraform.tfstate.backup
2020/12/17 15:26:28 [TRACE] backend/local: requesting state lock for workspace "default"
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: preparing to manage state snapshots at terraform.tfstate
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: no previously-stored snapshot exists
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: locking terraform.tfstate using fcntl flock
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: writing lock metadata to .terraform.tfstate.lock.info
2020/12/17 15:26:28 [TRACE] backend/local: reading remote state for workspace "default"
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: reading latest snapshot from terraform.tfstate
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay
2020/12/17 15:26:28 [TRACE] statemgr.Filesystem: read nil snapshot
2020/12/17 15:26:28 [TRACE] backend/local: retrieving local state snapshot for workspace "default"
2020/12/17 15:26:28 [TRACE] backend/local: building context for current working directory
2020/12/17 15:26:28 [TRACE] terraform.NewContext: starting
2020/12/17 15:26:28 [TRACE] terraform.NewContext: loading provider schemas
2020/12/17 15:26:28 [TRACE] terraform.NewContext: complete
2020/12/17 15:26:28 [TRACE] backend/local: finished building terraform.Context
2020/12/17 15:26:28 [TRACE] backend/local: requesting interactive input, if necessary
2020/12/17 15:26:28 [TRACE] Context.Input: Prompting for provider arguments
2020/12/17 15:26:28 [TRACE] backend/local: running validation operation
2020/12/17 15:26:28 [INFO] terraform: building graph: GraphTypeValidate
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ConfigTransformer
2020/12/17 15:26:28 [TRACE] ConfigTransformer: Starting for path: 
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ConfigTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.RootVariableTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.RootVariableTransformer with new graph:
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ModuleVariableTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ModuleVariableTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.LocalTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.LocalTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.crash_local (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.OutputTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.OutputTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.OrphanResourceInstanceTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.OrphanResourceInstanceTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.StateTransformer
2020/12/17 15:26:28 [TRACE] StateTransformer: state is empty, so nothing to do
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.StateTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.AttachStateTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.AttachStateTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.OrphanOutputTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.OrphanOutputTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.AttachResourceConfigTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.AttachResourceConfigTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.MissingProvisionerTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.MissingProvisionerTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ProvisionerTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ProvisionerTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.graphTransformerMulti
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Executing graph transform *terraform.ProviderConfigTransformer
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Completed graph transform *terraform.ProviderConfigTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.crash_local (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Executing graph transform *terraform.MissingProviderTransformer
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Completed graph transform *terraform.MissingProviderTransformer (no changes)
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Executing graph transform *terraform.ProviderTransformer
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Completed graph transform *terraform.ProviderTransformer (no changes)
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Executing graph transform *terraform.PruneProviderTransformer
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Completed graph transform *terraform.PruneProviderTransformer (no changes)
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Executing graph transform *terraform.ParentProviderTransformer
2020/12/17 15:26:28 [TRACE] (graphTransformerMulti) Completed graph transform *terraform.ParentProviderTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.graphTransformerMulti (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.RemovedModuleTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.RemovedModuleTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.AttachSchemaTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.AttachSchemaTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ModuleExpansionTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ModuleExpansionTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ReferenceTransformer
2020/12/17 15:26:28 [DEBUG] ReferenceTransformer: "local.a_sensitive_map (expand)" references: [var.secret]
2020/12/17 15:26:28 [DEBUG] ReferenceTransformer: "local.no_crash_local (expand)" references: [local.a_map (expand)]
2020/12/17 15:26:28 [DEBUG] ReferenceTransformer: "local.crash_local (expand)" references: [local.a_sensitive_map (expand)]
2020/12/17 15:26:28 [DEBUG] ReferenceTransformer: "local.a_map (expand)" references: []
2020/12/17 15:26:28 [DEBUG] ReferenceTransformer: "var.secret" references: []
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ReferenceTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  local.crash_local (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
    local.a_map (expand) - *terraform.nodeExpandLocal
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.AttachDependenciesTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.AttachDependenciesTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.attachDataResourceDependenciesTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.attachDataResourceDependenciesTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.TargetsTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.TargetsTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.ForcedCBDTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.ForcedCBDTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.CountBoundaryTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.CountBoundaryTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  local.crash_local (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
    local.a_map (expand) - *terraform.nodeExpandLocal
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
    local.a_map (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    local.crash_local (expand) - *terraform.nodeExpandLocal
    local.no_crash_local (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.CloseProviderTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.CloseProviderTransformer (no changes)
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.CloseRootModuleTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.CloseRootModuleTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  local.crash_local (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
    local.a_map (expand) - *terraform.nodeExpandLocal
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
    local.a_map (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    local.crash_local (expand) - *terraform.nodeExpandLocal
    local.no_crash_local (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  root - *terraform.nodeCloseModule
    meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [TRACE] Executing graph transform *terraform.TransitiveReductionTransformer
2020/12/17 15:26:28 [TRACE] Completed graph transform *terraform.TransitiveReductionTransformer with new graph:
  local.a_map (expand) - *terraform.nodeExpandLocal
  local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
    var.secret - *terraform.NodeRootVariable
  local.crash_local (expand) - *terraform.nodeExpandLocal
    local.a_sensitive_map (expand) - *terraform.nodeExpandLocal
  local.no_crash_local (expand) - *terraform.nodeExpandLocal
    local.a_map (expand) - *terraform.nodeExpandLocal
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
    local.crash_local (expand) - *terraform.nodeExpandLocal
    local.no_crash_local (expand) - *terraform.nodeExpandLocal
  root - *terraform.nodeCloseModule
    meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  var.secret - *terraform.NodeRootVariable
  ------
2020/12/17 15:26:28 [DEBUG] Starting graph walk: walkValidate
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "var.secret"
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.a_map (expand)"
2020/12/17 15:26:28 [TRACE] vertex "var.secret": starting visit (*terraform.NodeRootVariable)
2020/12/17 15:26:28 [TRACE] vertex "local.a_map (expand)": starting visit (*terraform.nodeExpandLocal)
2020/12/17 15:26:28 [TRACE] vertex "var.secret": visit complete
2020/12/17 15:26:28 [TRACE] vertex "local.a_map (expand)": expanding dynamic subgraph
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.a_sensitive_map (expand)"
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map (expand)": starting visit (*terraform.nodeExpandLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map (expand)": expanding dynamic subgraph
2020/12/17 15:26:28 [TRACE] Expanding local: adding local.a_map as *terraform.NodeLocal
2020/12/17 15:26:28 [TRACE] Expanding local: adding local.a_sensitive_map as *terraform.NodeLocal
2020/12/17 15:26:28 [TRACE] vertex "local.a_map (expand)": entering dynamic subgraph
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map (expand)": entering dynamic subgraph
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.a_sensitive_map"
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map": starting visit (*terraform.NodeLocal)
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.a_map"
2020/12/17 15:26:28 [TRACE] vertex "local.a_map": starting visit (*terraform.NodeLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.a_map": visit complete
2020/12/17 15:26:28 [TRACE] vertex "local.a_map (expand)": dynamic subgraph completed successfully
2020/12/17 15:26:28 [TRACE] vertex "local.a_map (expand)": visit complete
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.no_crash_local (expand)"
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map": visit complete
2020/12/17 15:26:28 [TRACE] vertex "local.no_crash_local (expand)": starting visit (*terraform.nodeExpandLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map (expand)": dynamic subgraph completed successfully
2020/12/17 15:26:28 [TRACE] vertex "local.no_crash_local (expand)": expanding dynamic subgraph
2020/12/17 15:26:28 [TRACE] Expanding local: adding local.no_crash_local as *terraform.NodeLocal
2020/12/17 15:26:28 [TRACE] vertex "local.a_sensitive_map (expand)": visit complete
2020/12/17 15:26:28 [TRACE] vertex "local.no_crash_local (expand)": entering dynamic subgraph
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.crash_local (expand)"
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.no_crash_local"
2020/12/17 15:26:28 [TRACE] vertex "local.no_crash_local": starting visit (*terraform.NodeLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.crash_local (expand)": starting visit (*terraform.nodeExpandLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.crash_local (expand)": expanding dynamic subgraph
2020/12/17 15:26:28 [TRACE] Expanding local: adding local.crash_local as *terraform.NodeLocal
2020/12/17 15:26:28 [TRACE] vertex "local.crash_local (expand)": entering dynamic subgraph
2020/12/17 15:26:28 [TRACE] dag/walk: visiting "local.crash_local"
2020/12/17 15:26:28 [TRACE] vertex "local.crash_local": starting visit (*terraform.NodeLocal)
2020/12/17 15:26:28 [TRACE] vertex "local.crash_local": visit complete
panic: value is marked, so must be unmarked first

goroutine 16 [running]:
github.com/zclconf/go-cty/cty.Value.assertUnmarked(...)
	/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/marks.go:123
github.com/zclconf/go-cty/cty.Value.LengthInt(0x385a780, 0xc00059fbc0, 0x314f9e0, 0xc00059fc00, 0x314f901)
	/go/pkg/mod/github.com/zclconf/go-cty@v1.7.1/cty/value_ops.go:1045 +0x4f
github.com/hashicorp/hcl/v2/hclsyntax.(*SplatExpr).Value(0xc00063e370, 0xc00059f9a0, 0x0, 0xc00059f9c0, 0x1, 0x1, 0x0, 0x0, 0xf)
	/go/pkg/mod/github.com/hashicorp/hcl/v2@v2.8.1/hclsyntax/expression.go:1455 +0x245
github.com/hashicorp/hcl/v2/hclsyntax.(*FunctionCallExpr).Value(0xc0006122d0, 0xc00059f9a0, 0x0, 0xc0005dd800, 0x1, 0x1, 0x0, 0x0, 0x0)
	/go/pkg/mod/github.com/hashicorp/hcl/v2@v2.8.1/hclsyntax/expression.go:408 +0x260c
github.com/hashicorp/terraform/lang.(*Scope).EvalExpr(0xc0006dc5a0, 0x3859180, 0xc0006122d0, 0x385a640, 0x49452f0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/home/circleci/project/project/lang/eval.go:171 +0x1b7
github.com/hashicorp/terraform/terraform.(*BuiltinEvalContext).EvaluateExpr(0xc00028e0d0, 0x3859180, 0xc0006122d0, 0x385a640, 0x49452f0, 0x0, 0x0, 0x0, 0x106d060, 0xc00091ba20, ...)
	/home/circleci/project/project/terraform/eval_context_builtin.go:287 +0xbb
github.com/hashicorp/terraform/terraform.(*NodeLocal).Execute(0xc000a18270, 0x3895f00, 0xc00028e0d0, 0xc00003a004, 0x30a8160, 0x322e1a0)
	/home/circleci/project/project/terraform/node_local.go:156 +0x71d
github.com/hashicorp/terraform/terraform.(*ContextGraphWalker).Execute(0xc0005c7c70, 0x3895f00, 0xc00028e0d0, 0xdbbd458, 0xc000a18270, 0x0, 0x0, 0x0)
	/home/circleci/project/project/terraform/graph_walk_context.go:127 +0xbc
github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x322e1a0, 0xc000a18270, 0x0, 0x0, 0x0)
	/home/circleci/project/project/terraform/graph.go:59 +0x962
github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc00005d8c0, 0x322e1a0, 0xc000a18270, 0xc0002fc500)
	/home/circleci/project/project/dag/walk.go:387 +0x375
created by github.com/hashicorp/terraform/dag.(*Walker).Update
	/home/circleci/project/project/dag/walk.go:309 +0x1246

Expected Behavior

Command Success

Actual Behavior

Panic / terraform crash

Steps to Reproduce

1. terraform init
2. terraform plan

Additional Context

References

• v0.14.2 panic: value is marked, so must be unmarked first #27220

[woz5999]

@alisdair from #27220

revisiting this bit of old code, i can probably refactor it to take advantage of some of the newer dynamic expressions, but this worked as of tf 0.13.x

[alisdair]

Thanks for the reproduction case, @woz5999! This is indeed another issue with unmarking sensitive values when evaluating expressions, and this time the splat is the problem here. We'll need to fix that again in the upstream HCL library.

For now, you can replace the use of splat with a for expression, as you hinted at yourself. The following should be a reasonable workaround until we can get this fixed:

locals {
  fixed_crash_local = flatten([for kvs in local.a_sensitive_map: [for v in kvs: v]])
}

[woz5999]

Thanks @alisdair . Been refactoring and confirm that that's a fix.

I'm seeing a few other cases, though I'm not sure how similar they are under the hood:

crash_local = templatefile("${path.cwd}/foo.tmpl", {
    bar = jsonencode(local.a_sensitive_map)
  })

# foo.tmpl
%{ for b in jsondecode(bar) ~}
${b.v}
%{ endfor ~}

let me know if you want a new ticket for this, else i can update this one to include the additional case

[alisdair]

@woz5999 Thanks again. That is a separate crash, caused by checking the length of a sensitive collection (in TemplateJoinExpr) as part of rendering a template with a for loop. It would be very helpful if you could file a new issue to help us track the fix, as it will be a separate patch.

[woz5999]

@alisdair #27336

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.