straubt1 · September 9, 2021 15:45
diff --git a/main.tf b/main.tf
 # Using the 'random_pet' resource to drive the example and treating the "prefix" argument as a secret.

 variable "pets" {
  description = "Map of 'random_pets' to create. These would be any non-sensitive values used to configure the resource."
  type = map(object({
    length    = number
    separator = string
  }))

  # default for easy demo
  default = {
    "one" = {
      length    = 2,
      separator = ","
    },
    "two" = {
      length    = 4,
      separator = ";"
    }
  }
 }

 variable "pets_sensitive" {
  description = "Map of 'random_pets' to create, keys MUST match var.pets input variable. These would be an sensitive values used to configure the resource."
  sensitive   = true
  type = map(object({
    prefix = string
  }))

  # default for easy demo
  default = {
    "one" = {
      prefix = "secretone"
    },
    "two" = {
      prefix = "secrettwo"
    }
  }
 }

 locals {
  # Combine both variables into a single map, important note is that key in this map can NOT
  # be derived from the variable marked as sensitive.
  random_pets_map = {
    for key, value in var.pets : key => {
      length    = value.length
      separator = value.separator
      prefix    = var.pets_sensitive[key].prefix
    }
  }
 }

 resource "random_pet" "name" {
  for_each = local.random_pets_map

  length    = each.value.length
  separator = each.value.separator
  prefix    = each.value.prefix
 }

 # In order for this to work, you must comment out the "sensitive   = true" for the "pets_sensitive" variable above.
 # output "debug" {
 #   value = {
 #     test = local.random_pets_map
 #   }
 # }

 /* Example Output:
 $ terraform apply                                                                                                                           [10:44:23]

 Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

 Terraform will perform the following actions:

  # random_pet.name["one"] will be created
  + resource "random_pet" "name" {
      + id        = (known after apply)
      + length    = 2
      + prefix    = (sensitive)
      + separator = ","
    }

  # random_pet.name["two"] will be created
  + resource "random_pet" "name" {
      + id        = (known after apply)
      + length    = 4
      + prefix    = (sensitive)
      + separator = ";"
    }

 Plan: 2 to add, 0 to change, 0 to destroy.

 Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

 random_pet.name["two"]: Creating...
 random_pet.name["one"]: Creating...
 random_pet.name["two"]: Creation complete after 0s [id=secrettwo;directly;hideously;welcome;coyote]
 random_pet.name["one"]: Creation complete after 0s [id=secretone,super,bird]

 Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
 */
	# Using the 'random_pet' resource to drive the example and treating the "prefix" argument as a secret.

	variable "pets" {
	description = "Map of 'random_pets' to create. These would be any non-sensitive values used to configure the resource."
	type = map(object({
	length = number
	separator = string
	}))

	# default for easy demo
	default = {
	"one" = {
	length = 2,
	separator = ","
	},
	"two" = {
	length = 4,
	separator = ";"
	}
	}
	}

	variable "pets_sensitive" {
	description = "Map of 'random_pets' to create, keys MUST match var.pets input variable. These would be an sensitive values used to configure the resource."
	sensitive = true
	type = map(object({
	prefix = string
	}))

	# default for easy demo
	default = {
	"one" = {
	prefix = "secretone"
	},
	"two" = {
	prefix = "secrettwo"
	}
	}
	}

	locals {
	# Combine both variables into a single map, important note is that key in this map can NOT
	# be derived from the variable marked as sensitive.
	random_pets_map = {
	for key, value in var.pets : key => {
	length = value.length
	separator = value.separator
	prefix = var.pets_sensitive[key].prefix
	}
	}
	}

	resource "random_pet" "name" {
	for_each = local.random_pets_map

	length = each.value.length
	separator = each.value.separator
	prefix = each.value.prefix
	}

	# In order for this to work, you must comment out the "sensitive = true" for the "pets_sensitive" variable above.
	# output "debug" {
	# value = {
	# test = local.random_pets_map
	# }
	# }

	/* Example Output:
	$ terraform apply [10:44:23]

	Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
	+ create

	Terraform will perform the following actions:

	# random_pet.name["one"] will be created
	+ resource "random_pet" "name" {
	+ id = (known after apply)
	+ length = 2
	+ prefix = (sensitive)
	+ separator = ","
	}

	# random_pet.name["two"] will be created
	+ resource "random_pet" "name" {
	+ id = (known after apply)
	+ length = 4
	+ prefix = (sensitive)
	+ separator = ";"
	}

	Plan: 2 to add, 0 to change, 0 to destroy.

	Do you want to perform these actions?
	Terraform will perform the actions described above.
	Only 'yes' will be accepted to approve.

	Enter a value: yes

	random_pet.name["two"]: Creating...
	random_pet.name["one"]: Creating...
	random_pet.name["two"]: Creation complete after 0s [id=secrettwo;directly;hideously;welcome;coyote]
	random_pet.name["one"]: Creation complete after 0s [id=secretone,super,bird]

	Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
	*/