[Feature] Add write-only argument support for resources like `elasticsearch_security_user`

**Is your feature request related to a problem? Please describe.**

When creating an `elasticsearch_security_user`, I have to provide a password right now through a normal field. If I want to source the password from an `ephemeral resource` (such as [HCP Vault's `kv_secret_v2`](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/ephemeral-resources/kv_secret_v2).

The [`kv_secret_v2` data source](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/kv_secret_v2) is [not the suggested path anymore](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/using_ephemeral_resources#use-the-vault-providers-new-ephemeral-resources) (when possible), as it causes secret leakage into your statefile.

Also, the data source is considered deprecated when you try to use it (Output from my terminal appended below):

```
│ Warning: Deprecated Resource
│ 
│   with data.vault_kv_secret_v2.elastic,
│   on data.tf line 6, in data "vault_kv_secret_v2" "elastic":
│    6: data "vault_kv_secret_v2" "elastic" {
│ 
│ Deprecated. Please use new Ephemeral KVV2 Secret resource `vault_kv_secret_v2` instead
│ 
│ (and one more similar warning elsewhere)
```

**Describe the resource you would like to have implemented.**

`elasticsearch_security_user` and any other resource which accepts sensitive values should have a corresponding `write-only` argument option for the sensitive value.

**Describe the solution you'd like**

For something like `elasticsearch_security_user`, two new fields should be added:

- `password_wo`: Accepts the ephemeral resource value
- `password_wo_version`: Field used to trigger an update of the resource, rather than triggering off the secret value changing. This could also be a string field where the suggestion is to strongly hash the password, so it would update only whenever the value actually changes. An example using an integer is present in the [`aws_db_instance` resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#password_wo_version-1)

**Describe alternatives you've considered**

Continuing to use data sources...but this is the state of things now and does not solve the issue of secrets ending up in a statefile

**Additional context**

- Terraform docs on ephemeral resources: https://developer.hashicorp.com/terraform/language/manage-sensitive-data/ephemeral
- Vault provider docs on ephemeral resources: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/using_ephemeral_resources#use-the-vault-providers-new-ephemeral-resources
- OpenTofu has implemented the ephemeral resource API and is just doing output format cleanup now: https://github.com/opentofu/opentofu/issues/2834

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Feature] Add write-only argument support for resources like `elasticsearch_security_user` #1295

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Feature] Add write-only argument support for resources like elasticsearch_security_user #1295

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

[Feature] Add write-only argument support for resources like `elasticsearch_security_user` #1295