Terraform Crash - value is marked, so must be unmarked first

[joaomlneto]

Terraform Version

Terraform v1.1.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.9.0
+ provider registry.terraform.io/vercel/vercel v0.2.4

Terraform Configuration Files

variable "vercel_token" {
  type = string
}

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.9.0"
    }
    vercel = {
      source = "vercel/vercel"
      version = "0.2.4"
    }
  }

  required_version = "1.1.8"
}

provider "aws" {
  region = "us-east-1"
}

provider "vercel" {
  api_token = var.vercel_token
}

resource "aws_cognito_user_pool" "pool" {
  name = "test-pool-joaomlneto-terraform-bug"
}

resource "aws_cognito_resource_server" "api" {
  identifier   = "api"
  name         = "API - Local Development"
  user_pool_id = aws_cognito_user_pool.pool.id

  scope {
    scope_description = "Everything"
    scope_name        = "all.all"
  }
}

resource "aws_cognito_user_pool_client" "api" {
  name         = "api"
  user_pool_id = aws_cognito_user_pool.pool.id
  depends_on = [aws_cognito_resource_server.api]
}

resource "vercel_project" "test" {
  name = "test-test-test"

  environment = [
    {
      key = "NEXT_PUBLIC_COGNITO_CLIENT_ID"
      value = aws_cognito_user_pool_client.api.id
      target = ["production", "preview", "development"]
    },
    {
      key = "NEXT_PUBLIC_COGNITO_CLIENT_SECRET"
      value = aws_cognito_user_pool_client.api.client_secret
      target = ["production", "preview", "development"]
    },
    {
      key = "NEXT_PUBLIC_COGNITO_USER_POOL_ID"
      value = aws_cognito_user_pool.pool.id
      target = ["production", "preview", "development"]
    },
  ]
}

Debug Output

https://gist.githubusercontent.com/joaomlneto/a84503bf02d776363601b09b5835b68d/raw/697747b065a31a8c0fd6d0f85a897c77167f80ce/stderr.out

Expected Behavior

Resource vercel_project.test should be created successfully.

Actual Behavior

Terraform crashes with error "value is marked, so must be unmarked first"

Steps to Reproduce

1. terraform init
2. terraform apply

Additional Context

One of the providers (vercel/vercel) is quite recent and still in beta, so may be the culprit.

References

None that I've seen.

[bflad]

In case it helps for triage purposes, vercel/vercel is a terraform-plugin-framework based provider (protocol version 6) and the environment attribute is a set based nested attribute:

https://github.com/vercel/terraform-provider-vercel/blob/324ca04737f463acf9ef507a46cd7ce286e0916d/vercel/resource_project.go#L65-L96

And aws_cognito_user_pool_client resource client_secret attribute is marked Sensitive:

https://github.com/hashicorp/terraform-provider-aws/blob/8f1441d9fea07faa1d11288187fe425293f98a1c/internal/service/cognitoidp/user_pool_client.go#L114-L118

[alisdair]

Thanks for the report! I'm able to reproduce it with this minimal config:

terraform {
  required_providers {
    nested = {
      source = "alisdair/nested"
    }
  }
}

resource "nested_set" "example" {
  name = "example"
  values = [
    {
      string = sensitive("foo")
    },
  ]
}

[joaomlneto]

And aws_cognito_user_pool_client resource client_secret attribute is marked Sensitive:

I can confirm that's probably the culprit — even on the 100-resource configuration I'm using, the error happens with the client_secret, not with the other variables.

Sorry for not making the example smaller, but glad you figured it out relatively quickly. :-)

[alisdair]

There's a fix pending review in #30825. I think it will have the unfortunate side effect of making the diff for your example code less useful, as the entire environments attribute will be hidden. Something like this:

Terraform will perform the following actions:

  # vercel_project.test will be created
  + resource "vercel_project" "test" {
      + name = "test-test-test"

      + environment = (sensitive value)
    }

This is a side effect of the cty.Set being used as the backing store for the vercel_project's environments attribute. In the cty library used by Terraform, any sensitive values in a set's elements are collated and applied to the set itself. This in turn means that we can only hide the entire set if it contains any sensitive values.

Addressing that and providing a more detailed diff of sets with sensitive values is a more complex task that will take some design work. In the mean time, if you do not consider the client_secret value to be sensitive and would like a more detailed diff (and also for Terraform not to crash!), you can unmark it:

value = nonsensitive(aws_cognito_user_pool_client.api.client_secret)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.