data.vault_generic_secret: make data and data_json sensitive

[stellirin]

Changes to Terraform 0.13.0 mean that these values are currently
printed during terraform apply.

See hashicorp/terraform#25800 for discussion.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

[m0ps]

This is an urgent change... With terraform v 0.13 all secrets become exposed in the plan output

[yatanasov]

Hello, when can we expect a fix/next release for this ? Thank you!

[ajinkyakadam]

Our team is facing the same issue, with sensitive data shown in plan output. Is there an ETA for a fix ? Thanks.

[catsby]

👍 Thanks!

[catsby]

Hello - we'd like to roll this fix out as soon as possible, however I'm investigating #847 as well and feel that should be included.

[catsby]

Hello all - this was released in v2.13.0 , thanks for the contribution and your patience!

[jravetch]

Hi @catsby We are on 2.14 with tf 0.13.3 and we are seeing some regression of #849 whereby the data.vault_generic_secret is read every plan and requires a new plan/apply.

# data.vault_generic_secret.gcp_oauth_token will be read during apply
  # (config refers to values not yet known)
 <= data "vault_generic_secret" "gcp_oauth_token"  {
      ~ data             = (sensitive value)
      ~ data_json        = (sensitive value)
        id               = "gcp/token/xxx"
        lease_duration   = 0
        lease_renewable  = false
        lease_start_time = "RFC5559"
        path             = "gcp/token/xxx"
        version          = -1
    }

Is it possibly related to #844 ? Thanks!

[catsby]

Hey @jravetch - could you open a separate issue with an example configuration that reproduces this?