feat(secret): add support for WriteOnly data argument in secret version #3538
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
secret
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3538 +/- ##
=========================================
- Coverage 1.71% 1.70% -0.01%
=========================================
Files 434 434
Lines 47517 47527 +10
=========================================
- Hits 813 811 -2
- Misses 46616 46627 +11
- Partials 88 89 +1 ☔ View full report in Codecov by Sentry. |
remyleone
previously approved these changes
Dec 18, 2025
estellesoulard
force-pushed
the
feat/add-secret-data-wo
branch
from
8333b0a to
b39ef02
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
I was implementing key manager's
Encryptcall as anEphemeral Resource. This kind of resource seems like the most appropriate implementation choice (Ephemeral Resourcesare not persisted in state, and seems perfect for the use case of returning an encrypted payload).To test this
Ephemeral Resource, I needed a matching resource argument that I could transfer myEphemeral Resource's value into. This is necessary becauseEphemeral Resourcescannot be outputted nor used liberally in any other resource, therefore in the acceptance tests I had no way to check that theEphemeral Resourceproperly worked.However, an
Ephemeral Resource's attribute value can be transferred into aWriteOnlyargument, that I could later retrieve in the target resource's datasource. This is exactly what I did here 😄PR content: TLDR
This PR adds a
data_woargument to secret_version Resource that can be used alternatively to the classicdataargument.Since this
data_wois aWriteOnlyit is not stored in the state, and drifts cannot be detected. It is fundamentally incompatible withForceNew. I bypassed this issue by adding adata_wo_versionwith ForceNew, enabling a simili-ForceNew fordata_wo: updatingdata_worequires to updatedata_wo_version, which will then be properly caught by Terraform and trigger a recreation.A word of caution
This PR is the first in a long line of WriteOnly attribute additions. (cf #3423). It may be treated as a blueprint for the following ones: please raise any concern during your review 🫡