diff --git a/modules/topic/locals.tf b/modules/topic/locals.tf
new file mode 100644
index 0000000..18c247d
--- /dev/null
+++ b/modules/topic/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  subscriptions_map  = { for subscription in var.subscriptions : "${subscription.protocol}:${coalesce(subscription.name, sha256(subscription.endpoint))}" => subscription }
+  subscriptions_keys = nonsensitive(keys(local.subscriptions_map))
+}
diff --git a/modules/topic/main.tf b/modules/topic/main.tf
index 3cd07aa..cc2be0b 100644
--- a/modules/topic/main.tf
+++ b/modules/topic/main.tf
@@ -13,12 +13,12 @@ data "aws_sns_topic" "this" {
 }
 
 resource "aws_sns_topic_subscription" "this" {
-  for_each = { for subscription in var.subscriptions : "${subscription.protocol}:${coalesce(subscription.name, subscription.endpoint)}" => subscription }
+  for_each = { for key in local.subscriptions_keys : key => key }
 
   topic_arn              = try(aws_sns_topic.this[0].arn, data.aws_sns_topic.this[0].arn)
-  protocol               = each.value.protocol
-  endpoint               = each.value.endpoint
-  endpoint_auto_confirms = each.value.endpoint_auto_confirms
+  protocol               = local.subscriptions_map[each.value].protocol
+  endpoint               = local.subscriptions_map[each.value].endpoint
+  endpoint_auto_confirms = local.subscriptions_map[each.value].endpoint_auto_confirms
 
   redrive_policy = (try(each.value.dead_letter_queue_arn, null) == null) ? null : jsonencode({
     deadLetterTargetArn = each.value.dead_letter_queue_arn
diff --git a/modules/topic/variables.tf b/modules/topic/variables.tf
index 2ca6874..0dde3d3 100644
--- a/modules/topic/variables.tf
+++ b/modules/topic/variables.tf
@@ -25,6 +25,7 @@ variable "subscriptions" {
   }))
   default     = []
   description = "SNS Subscriptions"
+  sensitive   = true
 }
 
 variable "delivery_policy" {