Make secrethub_write idempotent

[SimonBarendse]

Change request

Current behavior

When running a playbook with a secrethub_write several times,
each time a new version of the secret is written.

Expected behavior

When running a playbook with a secrethub_write several times,
only the first time a new version of the secret is written.

Proposal

Before writing the secret, the secret should be read. When the current
value is the same as the target value, the write is not performed.

The module will reflect in its return whether it has changed the secret
value.

[SimonBarendse]

I propose to add a state parameter, that can have the present or new value. When the state is new, a new version will always be written, even if the value would not change. The present state will be default and will only write when that would change the value of the latest version of the secret.
This is useful when you read specific secret versions from the playbook.

[SimonBarendse]

the s3 module has a similar parameter. They call it overwrite with options: always, different and never.

[mackenbach]

Ah, that's a neat trick. What about force_new: [always/true, different, never/false] with default value false?

[SimonBarendse]

I would pick different as default, as the module will then be idempotent by default.

I think never/false is only useful when the execution of the module is conditional, but is not the desired behavior in a default use-case.