How do sensitive values from TF providers work in Pulumi? https://github.com/terraform-providers/terraform-provider-fastly/blob/master/fastly/resource_fastly_service_v1.go#L596 The TF provider marks the resource input as sensitive here, and we've created our own provider using pulumi-terraform-bridge here https://github.com/terraform-providers/terraform-provider-fastly/blob/master/fastly/resource_fastly_service_v1.go#L596 However, we don't see Pulumi treating it as a secret? Our S3 access keys show up in plaintext in the console output.

Pulumi does not yet mark them as secret automatically. We will do this in the future as part of https://github.com/pulumi/pulumi-terraform/issues/449. In the meantime, you can use

additional_secret_outputs

per https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs to mark specific resource properties as secrets.

So it looks like the masking works if you mask on the whole entire object. For example, we have s3loggings.s3SecretKey. Is it possible only mask the s3secretKey vs masking all the values in the s3loggings block?

Currently it can only be applied to top-level properties or objects. I've opened https://github.com/pulumi/pulumi/issues/3144 to track supporting nested properties.

👍