### Terraform Version ```shell Terraform v1.3.1 on darwin_amd64 ``` ### Terraform Configuration Files This configuration does involve multiple files, but it is extremely simple, so I've put the contents of both files here main.tf ```terraform variable secretConfig { type = map(any) sensitive = true } ``` terraform.tfvars ```terraform secretConfig = { "something" = "extremely confidential", "oops" } ``` ### Debug Output https://gist.github.com/92bcf1a7455b5da1ab17f8a5c1f223fe ### Expected Behavior The CLI should complain about a malformed value, but refrain from displaying the value. Given that the value may contain sensitive information, it should not be displayed. An indication of the location where the parser failed should be sufficient. E. g.: ``` ╷ │ Error: Missing key/value separator │ │ on terraform.tfvars line 1, column 63: │ 1: (sensitive) │ │ Expected an equals sign ("=") to mark the beginning of the attribute value. ╵ ``` ### Actual Behavior The malformed secret value is displayed in full: ``` ╷ │ Error: Missing key/value separator │ │ on terraform.tfvars line 1: │ 1: secretConfig = { "something" = "extremely confidential", "oops" } │ │ Expected an equals sign ("=") to mark the beginning of the attribute value. ╵ ``` ### Steps to Reproduce 1. terraform init 2. terraform plan ### Additional Context A variable that is marked as sensitive, may contain sensitive data even when it is malformed, e.g. contains a syntax error (unclosed quote, missing comma for any reason). The terraform CLI is trying to be helpful by including the entirety of the value to help indicate the mistake, however this brakes the contract of a sensitive value by unnecessarily exposing potentially sensitive information. ### References _No response_