### Terraform Version ```shell Terraform v1.12.0-dev on darwin_arm64 + provider registry.terraform.io/hashicorp/null v3.2.3 ``` ### Terraform Configuration Files ```terraform variable "foo" { type = string default = "bar" ephemeral = true } resource "null_resource" "test" { provisioner "local-exec" { environment = { FOO = var.foo } command = "echo hello" } } ``` ### Debug Output Full log here: https://gist.github.com/simmsb/52ae66fb0c5f3000ea8c42ce984046fb ``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # null_resource.test will be created + resource "null_resource" "test" { + id = (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes null_resource.test: Creating... null_resource.test: Provisioning with 'local-exec'... null_resource.test (local-exec): (output suppressed due to sensitive value in config) null_resource.test (local-exec): (output suppressed due to sensitive value in config) null_resource.test: Creation complete after 0s [id=847589565284345878] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. ``` ### Expected Behavior Output should not be suppressed as no sensitive values are present. ### Actual Behavior Ephemeral values triggger sensitive data hiding of log output. ### Steps to Reproduce 1. `terraform init` 2. `terraform apply` ### Additional Context The output hiding seems to be triggered by the presence of any 'marks' in the config, and not just 'sensitive' marks. ```diff diff --git a/internal/terraform/node_resource_abstract_instance.go b/internal/terraform/node_resource_abstract_instance.go index 49056fb772..c422636505 100644 --- a/internal/terraform/node_resource_abstract_instance.go +++ b/internal/terraform/node_resource_abstract_instance.go @@ -2346,12 +2346,13 @@ func (n *NodeAbstractResourceInstance) applyProvisioners(ctx EvalContext, state // later. unmarkedConfig, configMarks := config.UnmarkDeep() unmarkedConnInfo, _ := connInfo.UnmarkDeep() + _, isSensitiveConfig := configMarks[marks.Sensitive] // Marks on the config might result in leaking sensitive values through // provisioner logging, so we conservatively suppress all output in // this case. This should not apply to connection info values, which // provisioners ought not to be logging anyway. - if len(configMarks) > 0 { + if isSensitiveConfig { outputFn = func(msg string) { ctx.Hook(func(h Hook) (HookAction, error) { h.ProvisionOutput(n.HookResourceIdentity(), prov.Type, "(output suppressed due to sensitive value in config)") ``` ### References _No response_ ### Generative AI / LLM assisted development? _No response_