### Terraform Version ```shell Terraform v1.11.0 on windows_amd64 + provider registry.terraform.io/hashicorp/aws v5.89.0 ``` ### Terraform Configuration Files ```terraform provider "aws" { region = "us-east-1" } variable "value" { ephemeral = true sensitive = true } resource "aws_ssm_parameter" "wo_token" { name = "foo" type = "SecureString" value_wo = var.value value_wo_version = 1 } ``` ### Debug Output https://gist.github.com/hirokimatsueda/acd93379da2fc0e4cfd19de4085d3948 ### Expected Behavior When terraform plan is executed, it outputs an error explaining that `ephemeral = true` and `sensitive = true` cannot be specified together in the variable. (Or it may be that the specification ignores the `sensitive = true` specification.) ### Actual Behavior The following error was output: ``` Planning failed. Terraform encountered an error while generating this plan. ╷ │ Error: failed to encode aws_ssm_parameter.wo_token in state: .value_wo: cannot serialize value marked as cty.NewValueMarks(marks.Ephemeral, marks.Sensitive) for inclusion in a state snapshot (this is a bug in Terraform) │ │ ╵ ╷ │ Error: Changes.Encode: new value .value_wo: can't serialize value marked with cty.NewValueMarks(marks.Sensitive, marks.Ephemeral) (this is a bug in Terraform) │ │ ╵ ``` ### Steps to Reproduce 1. `terraform init` 2. `terraform plan --var value="bar"` ### Additional Context I tried the following code with the azure provider to isolate if it was an aws provider issue, but got the same error. ```hcl provider "azurerm" { features {} subscription_id = var.subscription_id } variable "subscription_id" {} variable "password" { ephemeral = true sensitive = true } resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } resource "azurerm_mssql_server" "example" { name = "mssqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = "missadministrator" administrator_login_password_wo = var.password administrator_login_password_wo_version = 1 } ``` terraform plan output: ``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform planned the following actions, but then encountered a problem: # azurerm_resource_group.example will be created + resource "azurerm_resource_group" "example" { + id = (known after apply) + location = "westeurope" + name = "example-resources" } Plan: 1 to add, 0 to change, 0 to destroy. ╷ │ Error: failed to encode azurerm_mssql_server.example in state: .administrator_login_password_wo: cannot serialize value marked as cty.NewValueMarks(marks.Ephemeral, marks.Sensitive) for inclusion in a state snapshot (this is a bug in Terraform) │ │ ╵ ╷ │ Error: Changes.Encode: new value .administrator_login_password_wo: can't serialize value marked with cty.NewValueMarks(marks.Ephemeral, marks.Sensitive) (this is a bug in Terraform) │ │ ╵ ``` ### References _No response_ ### Generative AI / LLM assisted development? _No response_