hide sensitive values from response_export_values of azapi_resource_action

[oocx]

I'm using azapi_resource_action to generate a key pair:

resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
  type        = "Microsoft.Compute/sshPublicKeys@2022-11-01"
  resource_id = azapi_resource.admin_user_ssh_public_key.id
  action      = "generateKeyPair"
  method      = "POST"

  response_export_values  = ["publicKey", "privateKey"]
  
}

The generated private key is shown in my terraform plan:

-/+ resource "azapi_resource_action" "admin_user_ssh_public_key_generate" {
      ~ id                     = "/subscriptions/.../providers/Microsoft.Compute/sshPublicKeys/mykey/generateKeyPair" -> (known after apply)
      ~ output                 = {
          - privateKey = <<-EOT
                -----BEGIN RSA PRIVATE KEY-----
                ...

How can I mark the privateKey attribute as sensitive, so that it is not shown in the terraform plan?

[ms-henglu]

Hi @oocx ,

Thank you for taking time to report this issue.

Unfortunately, user couldn't mark a resource's field as sensitive. And from the provider's perspective, the terraform protocol doesn't support marking a field as sensitive conditionally either.

Related issue: hashicorp/terraform-plugin-sdk#736