hashicorp · DanielMSchmidt · Aug 25, 2025 · Aug 23, 2025
@@ -187,9 +187,11 @@ func FromJsonViewsOutput(output viewsjson.Output) Change {
 
 func FromJsonActionInvocation(actionInvocation jsonplan.ActionInvocation) Change {
 	return Change{
-		Before:  unwrapAttributeValues(actionInvocation.ConfigValues),
-		After:   unwrapAttributeValues(actionInvocation.ConfigValues),
-		Unknown: false,
+		Before:          unwrapAttributeValues(actionInvocation.ConfigValues),
+		After:           unwrapAttributeValues(actionInvocation.ConfigValues),
+		Unknown:         false,
+		BeforeSensitive: unmarshalGeneric(actionInvocation.ConfigSensitive),
+		AfterSensitive:  unmarshalGeneric(actionInvocation.ConfigSensitive),
 
 		ReplacePaths:       attribute_path.Empty(false),
 		RelevantAttributes: attribute_path.AlwaysMatcher(),

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"sort"
 
+	"github.com/hashicorp/terraform/internal/command/jsonstate"
 	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/hashicorp/terraform/internal/plans"
 	"github.com/hashicorp/terraform/internal/providers"
@@ -25,7 +26,8 @@ type ActionInvocation struct {
 	Name string `json:"name,omitempty"`
 
 	// ConfigValues is the JSON representation of the values in the config block of the action
-	ConfigValues map[string]json.RawMessage `json:"config_values,omitempty"`
+	ConfigValues    map[string]json.RawMessage `json:"config_values,omitempty"`
+	ConfigSensitive json.RawMessage            `json:"config_sensitive,omitempty"`
 
 	// ProviderName allows the property "type" to be interpreted unambiguously
 	// in the unusual situation where a provider offers a type whose
@@ -85,7 +87,7 @@ func marshalConfigValues(value cty.Value) map[string]json.RawMessage {
 	}
 
 	ret := make(map[string]json.RawMessage)
-	it := value.ElementIterator()
+	it := v.ElementIterator()
 	for it.Next() {
 		k, v := it.Element()
 		vJSON, _ := ctyjson.Marshal(v, v.Type())
@@ -99,7 +101,7 @@ func MarshalActionInvocations(actions []*plans.ActionInvocationInstanceSrc, sche
 	for _, action := range actions {
 		ai, err := MarshalActionInvocation(action, schemas)
 		if err != nil {
-			return nil, err
+			return ret, fmt.Errorf("failed to decode action %s: %w", action.Addr, err)
 		}
 		ret = append(ret, ai)
 	}
@@ -113,7 +115,6 @@ func MarshalActionInvocation(action *plans.ActionInvocationInstanceSrc, schemas
 		Name:         action.Addr.Action.Action.Name,
 		ProviderName: action.ProviderAddr.Provider.String(),
 	}
-
 	schema := schemas.ActionTypeConfig(
 		action.ProviderAddr.Provider,
 		action.Addr.Action.Action.Type,
@@ -140,12 +141,8 @@ func MarshalActionInvocation(action *plans.ActionInvocationInstanceSrc, schemas
 	}
 
 	if actionDec.ConfigValue != cty.NilVal {
-		// TODO: Support sensitive and ephemeral values in action invocations.
 		_, pvms := actionDec.ConfigValue.UnmarkDeepWithPaths()
 		sensitivePaths, otherMarks := marks.PathsWithMark(pvms, marks.Sensitive)
-		if len(sensitivePaths) > 0 {
-			return ai, fmt.Errorf("action %s has sensitive config values, which are not supported in action invocations", action.Addr)
-		}
 		ephemeralPaths, otherMarks := marks.PathsWithMark(otherMarks, marks.Ephemeral)
 		if len(ephemeralPaths) > 0 {
 			return ai, fmt.Errorf("action %s has ephemeral config values, which are not supported in action invocations", action.Addr)
@@ -154,12 +151,18 @@ func MarshalActionInvocation(action *plans.ActionInvocationInstanceSrc, schemas
 			return ai, fmt.Errorf("action %s has config values with unsupported marks: %v", action.Addr, otherMarks)
 		}
 
-		if actionDec.ConfigValue.IsWhollyKnown() {
-			ai.ConfigValues = marshalConfigValues(actionDec.ConfigValue)
-		} else {
-			knowns := omitUnknowns(actionDec.ConfigValue)
-			ai.ConfigValues = marshalConfigValues(knowns)
+		configValue := actionDec.ConfigValue
+		if !configValue.IsWhollyKnown() {
+			configValue = omitUnknowns(actionDec.ConfigValue)
 		}
+		cs := jsonstate.SensitiveAsBool(marks.MarkPaths(configValue, marks.Sensitive, sensitivePaths))
+		configSensitive, err := ctyjson.Marshal(cs, cs.Type())
+		if err != nil {
+			return ai, err
+		}
+
+		ai.ConfigValues = marshalConfigValues(configValue)
+		ai.ConfigSensitive = configSensitive
 	}
 	return ai, nil
 }

@@ -4,9 +4,13 @@
 package plans
 
 import (
+	"fmt"
+
 	"github.com/hashicorp/terraform/internal/addrs"
 	"github.com/hashicorp/terraform/internal/configs"
+	"github.com/hashicorp/terraform/internal/lang/marks"
 	"github.com/hashicorp/terraform/internal/providers"
+	"github.com/hashicorp/terraform/internal/tfdiags"
 	"github.com/zclconf/go-cty/cty"
 )
 
@@ -109,8 +113,15 @@ func (ai *ActionInvocationInstance) Encode(schema *providers.ActionSchema) (*Act
 			ty = schema.ConfigSchema.ImpliedType()
 		}
 
+		unmarkedConfigValue, pvms := ai.ConfigValue.UnmarkDeepWithPaths()
+		sensitivePaths, otherMarks := marks.PathsWithMark(pvms, marks.Sensitive)
+		if len(otherMarks) > 0 {
+			return nil, fmt.Errorf("%s: error serializing action invocation with unexpected marks on config value: %#v. This is a bug in Terraform.", tfdiags.FormatCtyPath(otherMarks[0].Path), otherMarks[0].Marks)
+		}
+
 		var err error
-		ret.ConfigValue, err = NewDynamicValue(ai.ConfigValue, ty)
+		ret.ConfigValue, err = NewDynamicValue(unmarkedConfigValue, ty)
+		ret.SensitiveConfigPaths = sensitivePaths
 		if err != nil {
 			return nil, err
 		}

@@ -568,7 +568,8 @@ type ActionInvocationInstanceSrc struct {
 	Addr          addrs.AbsActionInstance
 	ActionTrigger ActionTrigger
 
-	ConfigValue DynamicValue
+	ConfigValue          DynamicValue
+	SensitiveConfigPaths []cty.Path
 
 	ProviderAddr addrs.AbsProviderConfig
 }
@@ -584,12 +585,13 @@ func (acs *ActionInvocationInstanceSrc) Decode(schema *providers.ActionSchema) (
 	if err != nil {
 		return nil, fmt.Errorf("error decoding 'config' value: %s", err)
 	}
+	markedConfigValue := marks.MarkPaths(config, marks.Sensitive, acs.SensitiveConfigPaths)
 
 	ai := &ActionInvocationInstance{
 		Addr:          acs.Addr,
 		ActionTrigger: acs.ActionTrigger,
 		ProviderAddr:  acs.ProviderAddr,
-		ConfigValue:   config,
+		ConfigValue:   markedConfigValue,
 	}
 	return ai, nil
 }

@@ -1365,6 +1365,11 @@ func actionInvocationFromTfplan(rawAction *planproto.ActionInvocationInstance) (
 			return nil, fmt.Errorf("invalid config value: %s", err)
 		}
 		ret.ConfigValue = configVal
+		sensitiveConfigPaths, err := pathsFromTfplan(rawAction.SensitiveConfigPaths)
+		if err != nil {
+			return nil, err
+		}
+		ret.SensitiveConfigPaths = sensitiveConfigPaths
 	}
 
 	return ret, nil
@@ -1412,6 +1417,11 @@ func actionInvocationToTfPlan(action *plans.ActionInvocationInstanceSrc) (*planp
 
 	if action.ConfigValue != nil {
 		ret.ConfigValue = valueToTfplan(action.ConfigValue)
+		sensitiveConfigPaths, err := pathsToTfplan(action.SensitiveConfigPaths)
+		if err != nil {
+			return nil, err
+		}
+		ret.SensitiveConfigPaths = sensitiveConfigPaths
 	}
 
 	return ret, nil

@@ -335,6 +335,24 @@ func examplePlanForTest(t *testing.T) *plans.Plan {
 						"id": cty.StringVal("testing"),
 					}), objTy),
 				},
+				{
+					Addr:         addrs.Action{Type: "example", Name: "baz"}.Instance(addrs.NoKey).Absolute(addrs.RootModuleInstance),
+					ProviderAddr: provider,
+					ActionTrigger: plans.LifecycleActionTrigger{
+						ActionTriggerEvent:      configs.BeforeCreate,
+						ActionTriggerBlockIndex: 2,
+						ActionsListIndex:        1,
+						TriggeringResourceAddr: addrs.Resource{
+							Mode: addrs.ManagedResourceMode,
+							Type: "test_thing",
+							Name: "woot",
+						}.Instance(addrs.IntKey(0)).Absolute(addrs.RootModuleInstance),
+					},
+					ConfigValue: mustNewDynamicValue(cty.ObjectVal(map[string]cty.Value{
+						"id": cty.StringVal("secret"),
+					}), objTy),
+					SensitiveConfigPaths: []cty.Path{cty.GetAttrPath("id")},
+				},
 			},
 		},
 		DriftedResources: []*plans.ResourceInstanceChangeSrc{

@@ -468,9 +468,13 @@ message ActionInvocationInstance {
 
     repeated ResourceInstanceActionChange linked_resources = 3;
     DynamicValue config_value = 4;
+    // An unordered set of paths into config_value which are marked as
+    // sensitive. Values at these paths should be obscured in human-readable
+    // output.
+    repeated Path sensitive_config_paths = 5;
 
     oneof action_trigger {
-        LifecycleActionTrigger lifecycle_action_trigger = 5;
+        LifecycleActionTrigger lifecycle_action_trigger = 6;
     }
 }
 

@@ -556,7 +556,6 @@ resource "test_object" "b" {
 		},
 
 		"action with secrets in configuration": {
-			toBeImplemented: true, // We currently don't suppport sensitive values in the plan
 			module: map[string]string{
 				"main.tf": `
 variable "secret_value" {