terraform_data write-only and sensitive extensions

[jbardin]

Add new new store object to the terraform_data resource, which acts much like the top level resource, but can accept ephemeral value, and choose whether to mask the output as sensitive.

The store block input attribute is write-only, meaning that it can accept ephemeral value, as well as non ephemeral values, allowing the user to store anything in the corresponding output. The default behavior assumes a relatively stable input value, and will automatically plan the replacement of an output value when they do not match. An optional version attribute lets the user manually choose when to update the store outputs.

The optional sensitive attribute moves the stored value to the sensitive_output attribute, which is unsurprisingly defined as sensitive in the resource schema.

The optional replace attribute indicates that the entire resource should be replace when there is an update to either the store output or sensitive_output value.

While this is a change to the resource schema, we do not version this change in the schema. If the schema were versioned, because this is a builtin provider, the schema upgrade would lock users into an upgraded terraform version, and prevent them from rolling back in the case of a critical bug. Since the schema upgrade does not need to restructure any of the data, we can insert new block during the upgrade, and just let it be removed silently in the case of a downgrade.

---

An example of using the new store block

ephemeral "random_password" "test" {
  length = 16
}

resource "terraform_data" "test" {
  store {
    input   = ephemeral.random_password.test.result
    replace = true
    version = 1
  }
}

This will store the ephemeral password seen during apply in the output value

Terraform will perform the following actions:

  # terraform_data.test will be created
  + resource "terraform_data" "test" {
      + id = (known after apply)

      + store {
          + input   = (write-only attribute)
          + output  = (known after apply)
          + replace = true
          + version = 1
        }
    }

With the result:

resource "terraform_data" "test" {
    id = "56844ba5-5dcd-34d3-dbc8-0891fcd76971"

    store {
        input   = (write-only attribute)
        output  = "jcu<xpT8=M@NjQJ-"
        replace = true
        version = 1
    }
}

Even though the random password will change on every plan and apply, terraform_data.test will remain stable until the version attribute is changed to some other value. Once version is changed, the output attribute will have a planned change, and the replace attribute will cause the resource to be recreated.

[github-actions]

Changelog Warning

Currently this PR would target a v1.16 release. Please add a changelog entry for in the .changes/v1.16 folder, or discuss which release you'd like to target with your reviewer. If you believe this change does not need a changelog entry, please add the 'no-changelog-needed' label.