feat: mark PII as sensitive in account and user resources. (#1678)

* feat: mark PII as sensitive in account and user resources.

* docs: update user and account resource docs.

docs/resources/account.md

@@ -43,16 +43,16 @@ resource "snowflake_account" "ac1" {
 
 - `admin_name` (String) Login name of the initial administrative user of the account. A new user is created in the new account with this name and password and granted the ACCOUNTADMIN role in the account. A login name can be any string consisting of letters, numbers, and underscores. Login names are always case-insensitive.
 - `edition` (String) [Snowflake Edition](https://docs.snowflake.com/en/user-guide/intro-editions.html) of the account. Valid values are: STANDARD | ENTERPRISE | BUSINESS_CRITICAL
-- `email` (String) Email address of the initial administrative user of the account. This email address is used to send any notifications about the account.
+- `email` (String, Sensitive) Email address of the initial administrative user of the account. This email address is used to send any notifications about the account.
 - `name` (String) Specifies the identifier (i.e. name) for the account; must be unique within an organization, regardless of which Snowflake Region the account is in. In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters except for underscores (_). Note that if the account name includes underscores, features that do not accept account names with underscores (e.g. Okta SSO or SCIM) can reference a version of the account name that substitutes hyphens (-) for the underscores.
 
 ### Optional
 
 - `admin_password` (String, Sensitive) Password for the initial administrative user of the account. Optional if the `ADMIN_RSA_PUBLIC_KEY` parameter is specified. For more information about passwords in Snowflake, see [Snowflake-provided Password Policy](https://docs.snowflake.com/en/sql-reference/sql/create-account.html#:~:text=Snowflake%2Dprovided%20Password%20Policy).
 - `admin_rsa_public_key` (String, Sensitive) Assigns a public key to the initial administrative user of the account in order to implement [key pair authentication](https://docs.snowflake.com/en/sql-reference/sql/create-account.html#:~:text=key%20pair%20authentication) for the user. Optional if the `ADMIN_PASSWORD` parameter is specified.
 - `comment` (String) Specifies a comment for the account.
-- `first_name` (String) First name of the initial administrative user of the account
-- `last_name` (String) Last name of the initial administrative user of the account
+- `first_name` (String, Sensitive) First name of the initial administrative user of the account
+- `last_name` (String, Sensitive) Last name of the initial administrative user of the account
 - `must_change_password` (Boolean) Specifies whether the new user created to administer the account is forced to change their password upon first login into the account.
 - `region` (String) ID of the Snowflake Region where the account is created. If no value is provided, Snowflake creates the account in the same Snowflake Region as the current account (i.e. the account in which the CREATE ACCOUNT statement is executed.)
 - `region_group` (String) ID of the Snowflake Region where the account is created. If no value is provided, Snowflake creates the account in the same Snowflake Region as the current account (i.e. the account in which the CREATE ACCOUNT statement is executed.)

docs/resources/user.md

@@ -40,7 +40,7 @@ resource "snowflake_user" "user" {
 
 ### Required
 
-- `name` (String) Name of the user. Note that if you do not supply login_name this will be used as login_name. [doc](https://docs.snowflake.net/manuals/sql-reference/sql/create-user.html#required-parameters)
+- `name` (String, Sensitive) Name of the user. Note that if you do not supply login_name this will be used as login_name. [doc](https://docs.snowflake.net/manuals/sql-reference/sql/create-user.html#required-parameters)
 
 ### Optional
 
@@ -50,11 +50,11 @@ resource "snowflake_user" "user" {
 - `default_secondary_roles` (Set of String) Specifies the set of secondary roles that are active for the user’s session upon login. Currently only ["ALL"] value is supported - more information can be found in [doc](https://docs.snowflake.com/en/sql-reference/sql/create-user#optional-object-properties-objectproperties)
 - `default_warehouse` (String) Specifies the virtual warehouse that is active by default for the user’s session upon login.
 - `disabled` (Boolean)
-- `display_name` (String) Name displayed for the user in the Snowflake web interface.
-- `email` (String) Email address for the user.
-- `first_name` (String) First name of the user.
-- `last_name` (String) Last name of the user.
-- `login_name` (String) The name users use to log in. If not supplied, snowflake will use name instead.
+- `display_name` (String, Sensitive) Name displayed for the user in the Snowflake web interface.
+- `email` (String, Sensitive) Email address for the user.
+- `first_name` (String, Sensitive) First name of the user.
+- `last_name` (String, Sensitive) Last name of the user.
+- `login_name` (String, Sensitive) The name users use to log in. If not supplied, snowflake will use name instead.
 - `must_change_password` (Boolean) Specifies whether the user is forced to change their password on next login (including their first/initial login) into the system.
 - `password` (String, Sensitive) **WARNING:** this will put the password in the terraform state file. Use carefully.
 - `rsa_public_key` (String) Specifies the user’s RSA public key; used for key-pair authentication. Must be on 1 line without header and trailer.

pkg/resources/account.go

@@ -81,6 +81,7 @@ var accountSchema = map[string]*schema.Schema{
 	"email": {
 		Type:         schema.TypeString,
 		Required:     true,
+		Sensitive:    true,
 		Description:  "Email address of the initial administrative user of the account. This email address is used to send any notifications about the account.",
 		ValidateFunc: snowflakeValidation.ValidateEmail,
 		// We have no way of assuming a role into this account to change the admin email so this has to be ForceNew even though it's not ideal
@@ -105,6 +106,7 @@ var accountSchema = map[string]*schema.Schema{
 	"first_name": {
 		Type:        schema.TypeString,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "First name of the initial administrative user of the account",
 		// We have no way of assuming a role into this account to change the admin first name so this has to be ForceNew even though it's not ideal
 		ForceNew:              true,
@@ -121,6 +123,7 @@ var accountSchema = map[string]*schema.Schema{
 	"last_name": {
 		Type:        schema.TypeString,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "Last name of the initial administrative user of the account",
 		// We have no way of assuming a role into this account to change the admin last name so this has to be ForceNew even though it's not ideal
 		ForceNew:              true,

pkg/resources/user.go

@@ -36,12 +36,14 @@ var userSchema = map[string]*schema.Schema{
 	"name": {
 		Type:        schema.TypeString,
 		Required:    true,
+		Sensitive:   true,
 		Description: "Name of the user. Note that if you do not supply login_name this will be used as login_name. [doc](https://docs.snowflake.net/manuals/sql-reference/sql/create-user.html#required-parameters)",
 	},
 	"login_name": {
 		Type:        schema.TypeString,
 		Optional:    true,
 		Computed:    true,
+		Sensitive:   true,
 		Description: "The name users use to log in. If not supplied, snowflake will use name instead.",
 		// login_name is case-insensitive
 		DiffSuppressFunc: diffCaseInsensitive,
@@ -109,22 +111,26 @@ var userSchema = map[string]*schema.Schema{
 	"email": {
 		Type:        schema.TypeString,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "Email address for the user.",
 	},
 	"display_name": {
 		Type:        schema.TypeString,
 		Computed:    true,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "Name displayed for the user in the Snowflake web interface.",
 	},
 	"first_name": {
 		Type:        schema.TypeString,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "First name of the user.",
 	},
 	"last_name": {
 		Type:        schema.TypeString,
 		Optional:    true,
+		Sensitive:   true,
 		Description: "Last name of the user.",
 	},
 	"tag": tagReferenceSchema,