### Terraform Version ```shell Terraform v1.14.4 on darwin_arm64 + provider registry.terraform.io/hashicorp/azurerm v4.33.0 ``` ### Terraform Configuration Files ```terraform resource "terraform_data" "test" { input = { secret_token = data.azurerm_key_vault_secret.test.value } triggers_replace = { test = var.test } provisioner "local-exec" { command = <<-EOT echo Hello World echo Test ref - ${self.input.secret_token} EOT when = create } provisioner "local-exec" { command = <<-EOT echo Bye World echo Test ref - ${self.input.secret_token} EOT when = destroy } } ``` ### Debug Output ```terraform For creation: # terraform_data.test will be created + resource "terraform_data" "test" { + id = (known after apply) + input = { + secret_token = (sensitive value) } + output = (known after apply) + triggers_replace = { + test = "test" } } terraform_data.test: Creating... terraform_data.test: Provisioning with 'local-exec'... terraform_data.test (local-exec): (output suppressed due to sensitive value in config) terraform_data.test (local-exec): (output suppressed due to sensitive value in config) terraform_data.test (local-exec): (output suppressed due to sensitive value in config) For deletion (!): # terraform_data.test will be destroyed - resource "terraform_data" "test" { - id = "203ef1f3-b51f-8c00-63e4-3df54504ab7c" -> null - input = { - secret_token = (sensitive value) } -> null - output = { - secret_token = "ultra-hidden-secret-in-the-kv" <-- ???? } -> null - triggers_replace = { - test = "test" } -> null } ``` ### Expected Behavior When using terraform_data resource with sensitive values in the input attribute, the output attribute should preserve the sensitive marking to prevent secret exposure in plan/destroy output. ```terraform resource "terraform_data" "test" { input = { secret_token = data.azurerm_key_vault_secret.test.value } } Expected destroy output: - output = { - secret_token = (sensitive value) } -> null ``` ### Actual Behavior The `output` attribute does **not** inherit the default `sensitive` flag from data keyvault_secret.value from `input`, causing secrets to be exposed in plaintext during plan and destroy operations. ```terraform - output = { - secret_token = "ultra-hidden-secret-in-the-kv" } -> null ``` This occurs even when: - The source value is marked sensitive (e.g., from data.azurerm_key_vault_secret.test.value) - The input attribute correctly shows (sensitive value) - see above ### Steps to Reproduce 1. take configuration from above 2. run terraform apply 3. run terraform destroy (or change trigger to force replace) ### Additional Context This issue creates a security vulnerability where: - Secrets are logged in CI/CD pipelines (Azure DevOps, GitHub Actions, etc.) - Sensitive data appears in Terraform output captured by logging systems - No workaround exists for destroy-time provisioners (cannot use environment due to destroy-time reference restrictions) as I dont want to use triggers (in null_resource) or trigger_replace here :) I dont want to trigger based on changed i.e. api token, I want to keep token only for input/output. ### References _No response_ ### Generative AI / LLM assisted development? _No response_