# Error: Output refers to sensitive values: output "db_password" depends on sensitive attribute "var.db_password"

- **ID:** `terraform/sensitive-variable-in-output`
- **Domain:** terraform
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

An output value is derived from a sensitive variable or resource attribute without being explicitly marked as sensitive, causing a validation error.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Terraform v1.5.0 | active | — | — |
| Terraform v1.6.0 | active | — | — |
| Terraform v1.7.0 | active | — | — |

## Workarounds

1. **Mark the output as sensitive: `output "db_password" { value = var.db_password; sensitive = true }`** (95% success)
   ```
   Mark the output as sensitive: `output "db_password" { value = var.db_password; sensitive = true }`
   ```
2. **If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.** (80% success)
   ```
   If the value is not truly sensitive, remove the `sensitive = true` from the variable and use `nonsensitive(var.db_password)` in the output.
   ```

## Dead Ends

- **Remove the sensitive attribute from the variable definition** — The data is still sensitive; removing the attribute doesn't make it safe to expose. (70% fail)
- **Use nonsensitive() function in the output value** — nonsensitive() only works if the value is not truly sensitive; it may cause a runtime error if the source is sensitive. (60% fail)
- **Comment out the output block entirely** — This hides the value but doesn't fix the underlying dependency issue. (40% fail)