[Enhancement]: support values_wo in vault_generic_secret to keep data out of state

[joemiller]

Description

The AWS provider's aws_ssm_parameter recently added a values_wo attribute that avoids persisting sensitive values to state. The vault_generic_secret resource (and probably vault_kv_secret_v2 too) could benefit from a similar feature.

In the AWS SSM case it needs to be used with values_wo_version to trigger an update. One option here is to use a hash of the sensitive value to trigger the update. But this is not required since some users may have stricter requirements that don't allow using an unsalted hash or have other mechanisms to trigger the update.

This should address the open issue in #65

Affected Resource(s) and/or Data Source(s)

• vault_generic_secret
• vault_kv_secret_v2

Potential Terraform Configuration

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json_wo_version = "1"

  data_json_wo = <<EOT
{
  "foo":   "bar",
  "pizza": "cheese"
}
EOT
}



resource "vault_kv_secret_v2" "example" {
  mount                      = vault_mount.kvv2.path
  name                       = "secret"
  cas                        = 1
  delete_all_versions        = true
  data_json_wo_version       = "1"
  data_json_wo               = jsonencode(
  {
    zip       = "zap",
    foo       = "bar"
  }
  )
  custom_metadata {
    max_versions = 5
    data = {
      foo = "[email protected]",
      bar = "12345"
    }
  }
}

References

• FR: Add option to avoid storing some values in resource vault_generic_secret #65
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter#value_wo-1

Would you like to implement a fix?

Maybe