Hide ephemeral values from provisioner output (#36427)

Author: Liam Cervante

.changes/backported/BUG FIXES-20250205-095231.yaml

@@ -0,0 +1,5 @@
+kind: BUG FIXES
+body: 'ephemeral values: correct error message when ephemeral values are included in provisioner output'
+time: 2025-02-05T09:52:31.116553+01:00
+custom:
+    Issue: "36427"

internal/terraform/context_apply_test.go

@@ -12464,76 +12464,110 @@ output "out" {
 	}
 }
 
-func TestContext2Apply_provisionerSensitive(t *testing.T) {
-	m := testModule(t, "apply-provisioner-sensitive")
-	p := testProvider("aws")
-
-	pr := testProvisioner()
-	pr.ProvisionResourceFn = func(req provisioners.ProvisionResourceRequest) (resp provisioners.ProvisionResourceResponse) {
-		if req.Config.ContainsMarked() {
-			t.Fatalf("unexpectedly marked config value: %#v", req.Config)
-		}
-		command := req.Config.GetAttr("command")
-		if command.IsMarked() {
-			t.Fatalf("unexpectedly marked command argument: %#v", command.Marks())
-		}
-		req.UIOutput.Output(fmt.Sprintf("Executing: %q", command.AsString()))
-		return
-	}
-	p.PlanResourceChangeFn = testDiffFn
-	p.ApplyResourceChangeFn = testApplyFn
-
-	h := new(MockHook)
-	ctx := testContext2(t, &ContextOpts{
-		Hooks: []Hook{h},
-		Providers: map[addrs.Provider]providers.Factory{
-			addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
-		},
-		Provisioners: map[string]provisioners.Factory{
-			"shell": testProvisionerFuncFixed(pr),
+func TestContext2Apply_provisionerMarks(t *testing.T) {
+	tcs := map[string]struct {
+		opts *ApplyOpts
+		want string
+	}{
+		"apply-provisioner-sensitive": {
+			want: "output suppressed due to sensitive value",
+		},
+		"apply-provisioner-sensitive-ephemeral": {
+			want: "output suppressed due to sensitive, ephemeral value",
+			opts: &ApplyOpts{
+				SetVariables: InputValues{
+					"password": &InputValue{
+						Value:      cty.StringVal("secret"),
+						SourceType: ValueFromCaller,
+					},
+				},
+			},
 		},
-	})
-
-	plan, diags := ctx.Plan(m, states.NewState(), &PlanOpts{
-		Mode: plans.NormalMode,
-		SetVariables: InputValues{
-			"password": &InputValue{
-				Value:      cty.StringVal("secret"),
-				SourceType: ValueFromCaller,
+		"apply-provisioner-ephemeral": {
+			want: "output suppressed due to ephemeral value",
+			opts: &ApplyOpts{
+				SetVariables: InputValues{
+					"password": &InputValue{
+						Value:      cty.StringVal("secret"),
+						SourceType: ValueFromCaller,
+					},
+				},
 			},
 		},
-	})
-	assertNoErrors(t, diags)
+	}
+	for name, tc := range tcs {
+		t.Run(name, func(t *testing.T) {
+			m := testModule(t, name)
+			p := testProvider("aws")
+
+			pr := testProvisioner()
+			pr.ProvisionResourceFn = func(req provisioners.ProvisionResourceRequest) (resp provisioners.ProvisionResourceResponse) {
+				if req.Config.ContainsMarked() {
+					t.Fatalf("unexpectedly marked config value: %#v", req.Config)
+				}
+				command := req.Config.GetAttr("command")
+				if command.IsMarked() {
+					t.Fatalf("unexpectedly marked command argument: %#v", command.Marks())
+				}
+				req.UIOutput.Output(fmt.Sprintf("Executing: %q", command.AsString()))
+				return
+			}
+			p.PlanResourceChangeFn = testDiffFn
+			p.ApplyResourceChangeFn = testApplyFn
 
-	// "restart" provisioner
-	pr.CloseCalled = false
+			h := new(MockHook)
+			ctx := testContext2(t, &ContextOpts{
+				Hooks: []Hook{h},
+				Providers: map[addrs.Provider]providers.Factory{
+					addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
+				},
+				Provisioners: map[string]provisioners.Factory{
+					"shell": testProvisionerFuncFixed(pr),
+				},
+			})
 
-	state, diags := ctx.Apply(plan, m, nil)
-	if diags.HasErrors() {
-		logDiagnostics(t, diags)
-		t.Fatal("apply failed")
-	}
+			plan, diags := ctx.Plan(m, states.NewState(), &PlanOpts{
+				Mode: plans.NormalMode,
+				SetVariables: InputValues{
+					"password": &InputValue{
+						Value:      cty.StringVal("secret"),
+						SourceType: ValueFromCaller,
+					},
+				},
+			})
+			assertNoErrors(t, diags)
 
-	actual := strings.TrimSpace(state.String())
-	expected := strings.TrimSpace(testTerraformApplyProvisionerSensitiveStr)
-	if actual != expected {
-		t.Fatalf("wrong result\n\ngot:\n%s\n\nwant:\n%s", actual, expected)
-	}
+			// "restart" provisioner
+			pr.CloseCalled = false
 
-	// Verify apply was invoked
-	if !pr.ProvisionResourceCalled {
-		t.Fatalf("provisioner was not called on apply")
-	}
+			state, diags := ctx.Apply(plan, m, tc.opts)
+			if diags.HasErrors() {
+				logDiagnostics(t, diags)
+				t.Fatal("apply failed")
+			}
 
-	// Verify output was suppressed
-	if !h.ProvisionOutputCalled {
-		t.Fatalf("ProvisionOutput hook not called")
-	}
-	if got, doNotWant := h.ProvisionOutputMessage, "secret"; strings.Contains(got, doNotWant) {
-		t.Errorf("sensitive value %q included in output:\n%s", doNotWant, got)
-	}
-	if got, want := h.ProvisionOutputMessage, "output suppressed"; !strings.Contains(got, want) {
-		t.Errorf("expected hook to be called with %q, but was:\n%s", want, got)
+			actual := strings.TrimSpace(state.String())
+			expected := strings.TrimSpace(testTerraformApplyProvisionerSensitiveStr)
+			if actual != expected {
+				t.Fatalf("wrong result\n\ngot:\n%s\n\nwant:\n%s", actual, expected)
+			}
+
+			// Verify apply was invoked
+			if !pr.ProvisionResourceCalled {
+				t.Fatalf("provisioner was not called on apply")
+			}
+
+			// Verify output was suppressed
+			if !h.ProvisionOutputCalled {
+				t.Fatalf("ProvisionOutput hook not called")
+			}
+			if got, doNotWant := h.ProvisionOutputMessage, "secret"; strings.Contains(got, doNotWant) {
+				t.Errorf("sensitive value %q included in output:\n%s", doNotWant, got)
+			}
+			if got, want := h.ProvisionOutputMessage, tc.want; !strings.Contains(got, want) {
+				t.Errorf("expected hook to be called with %q, but was:\n%s", want, got)
+			}
+		})
 	}
 }
 

internal/terraform/node_resource_abstract_instance.go

@@ -2351,13 +2351,31 @@ func (n *NodeAbstractResourceInstance) applyProvisioners(ctx EvalContext, state
 		// provisioner logging, so we conservatively suppress all output in
 		// this case. This should not apply to connection info values, which
 		// provisioners ought not to be logging anyway.
-		if len(configMarks) > 0 {
+		_, sensitive := configMarks[marks.Sensitive]
+		_, ephemeral := configMarks[marks.Ephemeral]
+
+		switch {
+		case sensitive && ephemeral:
+			outputFn = func(msg string) {
+				ctx.Hook(func(h Hook) (HookAction, error) {
+					h.ProvisionOutput(n.HookResourceIdentity(), prov.Type, "(output suppressed due to sensitive, ephemeral value in config)")
+					return HookActionContinue, nil
+				})
+			}
+		case sensitive:
 			outputFn = func(msg string) {
 				ctx.Hook(func(h Hook) (HookAction, error) {
 					h.ProvisionOutput(n.HookResourceIdentity(), prov.Type, "(output suppressed due to sensitive value in config)")
 					return HookActionContinue, nil
 				})
 			}
+		case ephemeral:
+			outputFn = func(msg string) {
+				ctx.Hook(func(h Hook) (HookAction, error) {
+					h.ProvisionOutput(n.HookResourceIdentity(), prov.Type, "(output suppressed due to ephemeral value in config)")
+					return HookActionContinue, nil
+				})
+			}
 		}
 
 		output := CallbackUIOutput{OutputFn: outputFn}

internal/terraform/testdata/apply-provisioner-ephemeral/main.tf

@@ -0,0 +1,18 @@
+variable "password" {
+  type      = string
+  ephemeral = true
+}
+
+resource "aws_instance" "foo" {
+  connection {
+    host     = "localhost"
+    type     = "telnet"
+    user     = "superuser"
+    port     = 2222
+    password = "password"
+  }
+
+  provisioner "shell" {
+    command = "echo ${var.password} > secrets"
+  }
+}

internal/terraform/testdata/apply-provisioner-sensitive-ephemeral/main.tf

@@ -0,0 +1,19 @@
+variable "password" {
+  type      = string
+  ephemeral = true
+  sensitive = true
+}
+
+resource "aws_instance" "foo" {
+  connection {
+    host     = "localhost"
+    type     = "telnet"
+    user     = "superuser"
+    port     = 2222
+    password = "password"
+  }
+
+  provisioner "shell" {
+    command = "echo ${var.password} > secrets"
+  }
+}