{
  "id": "terraform/sensitive-variable-in-output",
  "signature": "Error: Output refers to sensitive values: output \"db_password\" depends on sensitive attribute \"var.db_password\"",
  "signature_zh": "错误：输出引用敏感值：输出 \"db_password\" 依赖于敏感属性 \"var.db_password\"",
  "regex": "Output refers to sensitive values.*depends on sensitive attribute",
  "domain": "terraform",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "An output value is derived from a sensitive variable or resource attribute without being explicitly marked as sensitive, causing a validation error.",
  "root_cause_type": "generic",
  "root_cause_zh": "输出值来源于敏感变量或资源属性，但未显式标记为敏感，导致验证错误。",
  "versions": [
    {
      "version": "Terraform v1.5.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Terraform v1.6.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Terraform v1.7.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Remove the sensitive attribute from the variable definition",
      "why_fails": "The data is still sensitive; removing the attribute doesn't make it safe to expose.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use nonsensitive() function in the output value",
      "why_fails": "nonsensitive() only works if the value is not truly sensitive; it may cause a runtime error if the source is sensitive.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    },
    {
      "action": "Comment out the output block entirely",
      "why_fails": "This hides the value but doesn't fix the underlying dependency issue.",
      "fail_rate": 0.4,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Mark the output as sensitive: `output \"db_password\" { value = var.db_password; sensitive = true }`",
      "success_rate": 0.95,
      "how": "Mark the output as sensitive: `output \"db_password\" { value = var.db_password; sensitive = true }`",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.",
      "success_rate": 0.8,
      "how": "If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Mark the output as sensitive: `output \"db_password\" { value = var.db_password; sensitive = true }`",
    "If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-outputs",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.9,
  "resolvable": "true",
  "first_seen": "2024-05-12",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}