azurerm_key_vault_certificate: Ensure certificate contents are sensitive in apply output

[TraGicCode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When utilizing the azurerm_key_vault_certificate resource it exposes the certificate contents in the output when doing a terraform apply. It would be nice to have them output as since the contents are considered secrets.

Terraform Resource Example

Resources

resource "azurerm_key_vault_certificate" "test" {
  name     = "imported-cert"
  key_vault_id = "XXXXXXX"

  certificate {
    contents = "${acme_certificate.certificate.certificate_p12}"
    password = ""
  }

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }
}

Apply output

azurerm_key_vault_certificate.test: Creating...
  certificate.#:                                         "" => "1"
  certificate.0.contents:                                "" => "MIIQYwI.....DU4hQwKzAfMAcGBSsOAwIaBBSg+IQFcUBiQd0B9CCQI2ozFTRg7gQI07VOA3wfLIQ="
  certificate_data:                                      "" => "<computed>"
  certificate_policy.#:                                  "" => "1"
  certificate_policy.0.issuer_parameters.#:              "" => "1"
  certificate_policy.0.issuer_parameters.0.name:         "" => "Self"
  certificate_policy.0.key_properties.#:                 "" => "1"
  certificate_policy.0.key_properties.0.exportable:      "" => "true"
  certificate_policy.0.key_properties.0.key_size:        "" => "2048"
  certificate_policy.0.key_properties.0.key_type:        "" => "RSA"
  certificate_policy.0.key_properties.0.reuse_key:       "" => "false"
  certificate_policy.0.secret_properties.#:              "" => "1"
  certificate_policy.0.secret_properties.0.content_type: "" => "application/x-pkcs12"
  certificate_policy.0.x509_certificate_properties.#:    "" => "<computed>"
  key_vault_id:                                          "" => "XXXXXX"
  name:                                                  "" => "imported-cert"
  secret_id:                                             "" => "<computed>"
  tags.%:                                                "" => "<computed>"
  thumbprint:                                            "" => "<computed>"
  vault_uri:                                             "" => "<computed>"
  version:                                               "" => "<computed>"

The certificate contents, as shown above, should be shown as sensitive in the output like below

"<sensitive>" => "<sensitive>"

[ghost]

This has been released in version 1.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
	version = "~> 1.24.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!