1 files changed, 15 insertions, 5 deletions

diff --git a/lib/chef/provider/file.rb b/lib/chef/provider/file.rb
index b2127d7c87..3ef7725173 100644
--- a/lib/chef/provider/file.rb
+++ b/lib/chef/provider/file.rb
@@ -352,16 +352,27 @@ class Chef
         if tempfile.path.nil? || !::File.exists?(tempfile.path)
           raise "chef-client is confused, trying to deploy a file that has no path or does not exist..."
         end
+
         # the file? on the next line suppresses the case in why-run when we have a not-file here that would have otherwise been removed
         if ::File.file?(@new_resource.path) && contents_changed?
-          diff.diff(@current_resource.path, tempfile.path)
-          @new_resource.diff( diff.for_reporting ) unless file_created?
-          description = [ "update content in file #{@new_resource.path} from #{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ]
-          description << diff.for_output
+          description = [ "update content in file #{@new_resource.path} from \
+#{short_cksum(@current_resource.checksum)} to #{short_cksum(checksum(tempfile.path))}" ]
+
+          # Hide the diff output if the resource is marked as a sensitive resource
+          if @new_resource.sensitive
+            @new_resource.diff("suppressed sensitive resource")
+            description << "suppressed sensitive resource"
+          else
+            diff.diff(@current_resource.path, tempfile.path)
+            @new_resource.diff( diff.for_reporting ) unless file_created?
+            description << diff.for_output
+          end
+
           converge_by(description) do
             update_file_contents
           end
         end
+
         # unlink necessary to clean up in why-run mode
         tempfile.unlink
       end
@@ -420,4 +431,3 @@ class Chef
     end
   end
 end
-