### Terraform Version ```shell Terraform v1.13.4 on linux_amd64 ``` ### Terraform Configuration Files ```terraform resource "camo_data" "test" { input_wo = "write-only-foo" provisioner "local-exec" { environment = { WRITE_ONLY_ENV = self.input_wo } # This is always empty! command = "echo \"WO: $WRITE_ONLY_ENV.\"" } } ``` ### Debug Output I think these are the relevant bits during the apply: ``` 2025-11-01T16:03:14.548+0800 [DEBUG] provider.terraform-provider-camo: Nullifying write-only attribute in the newState: @caller=/home/jkbach/go/pkg/mod/github.com/hashicorp/terraform-plugin-framework@v1.16.1/internal/fwserver/write_only_nullification.go:61 @module=sdk.framework tf_req_id=f2ad45b9-8532-e5ed-ba50-d6bd7082de24 tf_resource_type=camo_data tf_attribute_path="AttributeName(\"input_wo\")" tf_provider_addr=registry.terraform.io/meridianleap/camo tf_rpc=PlanResourceChange timestamp="2025-11-01T16:03:14.548+0800" ... 2025-11-01T16:03:14.550+0800 [TRACE] applyProvisioners: provisioning camo_data.test with "local-exec" 2025-11-01T16:03:14.550+0800 [TRACE] terraform.contextPlugins: Initializing provisioner "local-exec" to read its schema 2025-11-01T16:03:14.550+0800 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/meridianleap/camo" is in the global cache 2025-11-01T16:03:14.550+0800 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/meridianleap/camo" is in the global cache 2025-11-01T16:03:14.550+0800 [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/meridianleap/camo" is in the global cache camo_data.test: Provisioning with 'local-exec'... camo_data.test (local-exec): Executing: ["/bin/sh" "-c" "echo \"WO: $WRITE_ONLY_ENV.\""] camo_data.test (local-exec): WO: . ``` ### Expected Behavior Write-only attributes should be accessible on the `self.` object inside the provisioner block. ### Actual Behavior Write-only attributes were unset, but did not trigger any warning or error in the `plan` or `apply` output. ### Steps to Reproduce 1. Add a reference to a write-only attribute via `self.` in a provisioner block. 2. terraform init 3. terraform apply 4. Observe that the write-only attribute is unset in the provisioner. I noticed it in a provider that I'm developing ([repo link](https://github.com/meridianleap/terraform-provider-camo/tree/jkbach/write-only)), you can check out the `jkbach/write-only` branch, `go install .`, update `.terraformrc` to: ```hcl provider_installation { dev_overrides { "meridianleap/camo" = "" } direct {} } ``` and then `terraform apply` the following config: ```hcl terraform { required_providers { camo = { source = "meridianleap/camo" } } } resource "camo_data" "test" { input_wo = "sensitive-foo" provisioner "local-exec" { environment = { WRITE_ONLY_ENV = self.input_wo } command = "echo \"WO: $WRITE_ONLY_ENV.\"" } } ``` and observe that the output is simply: `WO: ` instead of `WO: sensitive-foo`. ### Additional Context I'm pretty sure this is a Terraform issue and not an issue with my provider. Looking at the logs, it seems like the write-only attribute is being unset before the provisioner starts executing. If this is intentional, then this ticket is actually a feature request :) I assumed it was a bug because not being able to access write-only attributes isn't mentioned in the docs[^1], and the `terraform` command doesn't complain when I try to reference `self.input_wo` from the provisioner block (unlike trying to access something like `var.foo` or `.`, which create a clear error). I also don't believe it conflicts with the logic referenced in https://github.com/hashicorp/terraform/issues/23679#issuecomment-597388015 about circular dependencies in destroy provisioners. Thanks! [^1]: https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/write-only-arguments ### References _No response_ ### Generative AI / LLM assisted development? _No response_