Ephemeral values trigger 'output suppressed' in local-exec provisioner

[simmsb]

Terraform Version

Terraform v1.12.0-dev
on darwin_arm64
+ provider registry.terraform.io/hashicorp/null v3.2.3

Terraform Configuration Files

variable "foo" {
  type = string
  default = "bar"
  ephemeral = true
}

resource "null_resource" "test" {
  provisioner "local-exec" {
    environment = { FOO = var.foo }
    command = "echo hello"
  }
}

Debug Output

Full log here: https://gist.github.com/simmsb/52ae66fb0c5f3000ea8c42ce984046fb

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # null_resource.test will be created
  + resource "null_resource" "test" {
      + id = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

null_resource.test: Creating...
null_resource.test: Provisioning with 'local-exec'...
null_resource.test (local-exec): (output suppressed due to sensitive value in config)
null_resource.test (local-exec): (output suppressed due to sensitive value in config)
null_resource.test: Creation complete after 0s [id=847589565284345878]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Expected Behavior

Output should not be suppressed as no sensitive values are present.

Actual Behavior

Ephemeral values triggger sensitive data hiding of log output.

Steps to Reproduce

1. terraform init
2. terraform apply

Additional Context

The output hiding seems to be triggered by the presence of any 'marks' in the config, and not just 'sensitive' marks.

diff --git a/internal/terraform/node_resource_abstract_instance.go b/internal/terraform/node_resource_abstract_instance.go
index 49056fb772..c422636505 100644
--- a/internal/terraform/node_resource_abstract_instance.go
+++ b/internal/terraform/node_resource_abstract_instance.go
@@ -2346,12 +2346,13 @@ func (n *NodeAbstractResourceInstance) applyProvisioners(ctx EvalContext, state
                // later.
                unmarkedConfig, configMarks := config.UnmarkDeep()
                unmarkedConnInfo, _ := connInfo.UnmarkDeep()
+              _, isSensitiveConfig := configMarks[marks.Sensitive]

                // Marks on the config might result in leaking sensitive values through
                // provisioner logging, so we conservatively suppress all output in
                // this case. This should not apply to connection info values, which
                // provisioners ought not to be logging anyway.
-               if len(configMarks) > 0 {
+               if isSensitiveConfig {
                        outputFn = func(msg string) {
                                ctx.Hook(func(h Hook) (HookAction, error) {
                                        h.ProvisionOutput(n.HookResourceIdentity(), prov.Type, "(output suppressed due to sensitive value in config)")

References

No response

Generative AI / LLM assisted development?

No response

[liamcervante]

Hi @simmsb, thanks for filing this. We do still have a policy of suppressing ephemeral values in the same way as sensitive values - you can see they are also excluded from diagnostics and the plan output. But, the message is misleading here and we should update it to clarify that it is an ephemeral value being suppressed and not a sensitive value.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.