From b24f50f2278b380f5b9a49a641cc396eba94f7f0 Mon Sep 17 00:00:00 2001
From: Anthony Wat <acwwat@gmail.com>
Date: Mon, 20 May 2024 00:55:40 -0400
Subject: [PATCH 1/2] fix: Set grant_token as sensitive for aws_kms_grant

---
 .changelog/37593.txt                   | 3 +++
 internal/service/kms/grant.go          | 5 +++--
 website/docs/r/kms_grant.html.markdown | 3 +++
 3 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 .changelog/37593.txt

diff --git a/.changelog/37593.txt b/.changelog/37593.txt
new file mode 100644
index 00000000000..88ea9199058
--- /dev/null
+++ b/.changelog/37593.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_kms_grant: Set `grant_token` attribute as sensitive
+```
\ No newline at end of file
diff --git a/internal/service/kms/grant.go b/internal/service/kms/grant.go
index b4290402b13..4fec79e6348 100644
--- a/internal/service/kms/grant.go
+++ b/internal/service/kms/grant.go
@@ -91,8 +91,9 @@ func resourceGrant() *schema.Resource {
 				Computed: true,
 			},
 			"grant_token": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:      schema.TypeString,
+				Computed:  true,
+				Sensitive: true,
 			},
 			"grantee_principal": {
 				Type:     schema.TypeString,
diff --git a/website/docs/r/kms_grant.html.markdown b/website/docs/r/kms_grant.html.markdown
index 7604996c9a0..e95a2b24988 100644
--- a/website/docs/r/kms_grant.html.markdown
+++ b/website/docs/r/kms_grant.html.markdown
@@ -10,6 +10,9 @@ description: |-
 
 Provides a resource-based access control mechanism for a KMS customer master key.
 
+~> **Note:** All arguments including the grant token will be stored in the raw state as plain-text.
+[Read more about sensitive data in state](https://www.terraform.io/docs/state/sensitive-data.html).
+
 ## Example Usage
 
 ```terraform

From 0ceb165995335eeb0bbacd78514dd2bf34e05cfd Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Mon, 20 May 2024 10:12:48 -0400
Subject: [PATCH 2/2] Tweak CHANGELOG entry

---
 .changelog/37593.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.changelog/37593.txt b/.changelog/37593.txt
index 88ea9199058..81ee975446c 100644
--- a/.changelog/37593.txt
+++ b/.changelog/37593.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-resource/aws_kms_grant: Set `grant_token` attribute as sensitive
-```
\ No newline at end of file
+resource/aws_kms_grant: Change `grant_token` to [`Sensitive`](https://developer.hashicorp.com/terraform/plugin/best-practices/sensitive-state#using-sensitive-flag-functionality)
+```