fix: mark attributes of sensitive blocks as sensitive

CHANGELOG.md

@@ -9,6 +9,10 @@ nav_order: 1
 <!-- Always keep the following header in place: -->
 <!-- ## [MAJOR.MINOR.PATCH] - YYYY-MM-DD -->
 
+## [MAJOR.MINOR.PATCH] - YYYY-MM-DD
+
+- Recursively mark attributes of sensitive blocks as sensitive due to an [issue in Terraform](https://github.com/hashicorp/terraform-plugin-sdk/issues/201)
+
 ## [4.23.0] - 2024-08-19
 
 - Use enum choices from [code-generated client](https://github.com/aiven/go-client-codegen)

docs/resources/cassandra.md

@@ -78,7 +78,7 @@ resource "aiven_cassandra" "bar" {
 
 Optional:
 
-- `uris` (List of String) Cassandra server URIs.
+- `uris` (List of String, Sensitive) Cassandra server URIs.
 
 
 <a id="nestedblock--cassandra_user_config"></a>

docs/resources/clickhouse.md

@@ -70,7 +70,7 @@ resource "aiven_clickhouse" "example_clickhouse" {
 
 Optional:
 
-- `uris` (List of String) ClickHouse server URIs.
+- `uris` (List of String, Sensitive) ClickHouse server URIs.
 
 
 <a id="nestedblock--clickhouse_user_config"></a>

docs/resources/dragonfly.md

@@ -72,13 +72,13 @@ resource "aiven_dragonfly" "example_dragonfly" {
 
 Optional:
 
-- `slave_uris` (List of String) Dragonfly slave server URIs.
-- `uris` (List of String) Dragonfly server URIs.
+- `slave_uris` (List of String, Sensitive) Dragonfly slave server URIs.
+- `uris` (List of String, Sensitive) Dragonfly server URIs.
 
 Read-Only:
 
 - `password` (String, Sensitive) Dragonfly password.
-- `replica_uri` (String) Dragonfly replica server URI.
+- `replica_uri` (String, Sensitive) Dragonfly replica server URI.
 
 
 <a id="nestedblock--dragonfly_user_config"></a>

docs/resources/flink.md

@@ -74,7 +74,7 @@ resource "aiven_flink" "example_flink" {
 
 Optional:
 
-- `host_ports` (List of String) The host and port of a Flink server.
+- `host_ports` (List of String, Sensitive) The host and port of a Flink server.
 
 
 <a id="nestedblock--flink_user_config"></a>

docs/resources/grafana.md

@@ -78,7 +78,7 @@ resource "aiven_grafana" "gr1" {
 
 Optional:
 
-- `uris` (List of String) Grafana server URIs.
+- `uris` (List of String, Sensitive) Grafana server URIs.
 
 
 <a id="nestedblock--grafana_user_config"></a>

docs/resources/kafka.md

@@ -89,7 +89,7 @@ resource "aiven_kafka" "example_kafka" {
 
 Optional:
 
-- `uris` (List of String) Kafka server URIs.
+- `uris` (List of String, Sensitive) Kafka server URIs.
 
 Read-Only:
 

docs/resources/m3aggregator.md

@@ -74,11 +74,11 @@ resource "aiven_m3aggregator" "m3a" {
 
 Optional:
 
-- `uris` (List of String) M3 Aggregator server URIs.
+- `uris` (List of String, Sensitive) M3 Aggregator server URIs.
 
 Read-Only:
 
-- `aggregator_http_uri` (String) M3 Aggregator HTTP URI.
+- `aggregator_http_uri` (String, Sensitive) M3 Aggregator HTTP URI.
 
 
 <a id="nestedblock--m3aggregator_user_config"></a>

docs/resources/m3db.md

@@ -79,15 +79,15 @@ resource "aiven_m3db" "m3" {
 
 Optional:
 
-- `uris` (List of String) M3DB server URIs.
+- `uris` (List of String, Sensitive) M3DB server URIs.
 
 Read-Only:
 
-- `http_cluster_uri` (String) M3DB cluster URI.
-- `http_node_uri` (String) M3DB node URI.
-- `influxdb_uri` (String) InfluxDB URI.
-- `prometheus_remote_read_uri` (String) Prometheus remote read URI.
-- `prometheus_remote_write_uri` (String) Prometheus remote write URI.
+- `http_cluster_uri` (String, Sensitive) M3DB cluster URI.
+- `http_node_uri` (String, Sensitive) M3DB node URI.
+- `influxdb_uri` (String, Sensitive) InfluxDB URI.
+- `prometheus_remote_read_uri` (String, Sensitive) Prometheus remote read URI.
+- `prometheus_remote_write_uri` (String, Sensitive) Prometheus remote write URI.
 
 
 <a id="nestedblock--m3db_user_config"></a>

docs/resources/mysql.md

@@ -83,9 +83,9 @@ resource "aiven_mysql" "mysql1" {
 
 Optional:
 
-- `standby_uris` (List of String) MySQL standby connection URIs
-- `syncing_uris` (List of String) MySQL syncing connection URIs
-- `uris` (List of String) MySQL master connection URIs
+- `standby_uris` (List of String, Sensitive) MySQL standby connection URIs
+- `syncing_uris` (List of String, Sensitive) MySQL syncing connection URIs
+- `uris` (List of String, Sensitive) MySQL master connection URIs
 
 Read-Only:
 
@@ -97,12 +97,12 @@ Read-Only:
 
 Read-Only:
 
-- `database_name` (String) Primary MySQL database name
-- `host` (String) MySQL host IP or name
+- `database_name` (String, Sensitive) Primary MySQL database name
+- `host` (String, Sensitive) MySQL host IP or name
 - `password` (String, Sensitive) MySQL admin user password
-- `port` (Number) MySQL port
-- `sslmode` (String) MySQL sslmode setting (currently always "require")
-- `user` (String) MySQL admin user name
+- `port` (Number, Sensitive) MySQL port
+- `sslmode` (String, Sensitive) MySQL sslmode setting (currently always "require")
+- `user` (String, Sensitive) MySQL admin user name
 
 
 

docs/resources/opensearch.md

@@ -84,14 +84,14 @@ resource "aiven_opensearch" "os1" {
 
 Optional:
 
-- `uris` (List of String) OpenSearch server URIs.
+- `uris` (List of String, Sensitive) OpenSearch server URIs.
 
 Read-Only:
 
-- `kibana_uri` (String) URI for Kibana dashboard frontend
+- `kibana_uri` (String, Sensitive) URI for Kibana dashboard frontend
 - `opensearch_dashboards_uri` (String, Sensitive) URI for OpenSearch dashboard frontend
 - `password` (String, Sensitive) OpenSearch password
-- `username` (String) OpenSearch username
+- `username` (String, Sensitive) OpenSearch username
 
 
 <a id="nestedblock--opensearch_user_config"></a>

docs/resources/pg.md

@@ -96,35 +96,35 @@ resource "aiven_pg" "example_postgres" {
 
 Optional:
 
-- `standby_uris` (List of String) PostgreSQL standby connection URIs.
-- `syncing_uris` (List of String) PostgreSQL syncing connection URIs.
+- `standby_uris` (List of String, Sensitive) PostgreSQL standby connection URIs.
+- `syncing_uris` (List of String, Sensitive) PostgreSQL syncing connection URIs.
 - `uri` (String, Sensitive) PostgreSQL primary connection URI.
-- `uris` (List of String) PostgreSQL primary connection URIs.
+- `uris` (List of String, Sensitive) PostgreSQL primary connection URIs.
 
 Read-Only:
 
-- `bouncer` (String) PgBouncer connection details for [connection pooling](https://aiven.io/docs/products/postgresql/concepts/pg-connection-pooling).
-- `dbname` (String) Primary PostgreSQL database name.
-- `host` (String) PostgreSQL primary node host IP or name.
-- `max_connections` (Number) The [number of allowed connections](https://aiven.io/docs/products/postgresql/reference/pg-connection-limits). Varies based on the service plan.
+- `bouncer` (String, Sensitive) PgBouncer connection details for [connection pooling](https://aiven.io/docs/products/postgresql/concepts/pg-connection-pooling).
+- `dbname` (String, Sensitive) Primary PostgreSQL database name.
+- `host` (String, Sensitive) PostgreSQL primary node host IP or name.
+- `max_connections` (Number, Sensitive) The [number of allowed connections](https://aiven.io/docs/products/postgresql/reference/pg-connection-limits). Varies based on the service plan.
 - `params` (Block List) PostgreSQL connection parameters. (see [below for nested schema](#nestedblock--pg--params))
 - `password` (String, Sensitive) PostgreSQL admin user password.
-- `port` (Number) PostgreSQL port.
+- `port` (Number, Sensitive) PostgreSQL port.
 - `replica_uri` (String, Sensitive) PostgreSQL replica URI for services with a replica.
-- `sslmode` (String) PostgreSQL SSL mode setting.
-- `user` (String) PostgreSQL admin user name.
+- `sslmode` (String, Sensitive) PostgreSQL SSL mode setting.
+- `user` (String, Sensitive) PostgreSQL admin user name.
 
 <a id="nestedblock--pg--params"></a>
 ### Nested Schema for `pg.params`
 
 Read-Only:
 
-- `database_name` (String) Primary PostgreSQL database name.
-- `host` (String) PostgreSQL host IP or name.
+- `database_name` (String, Sensitive) Primary PostgreSQL database name.
+- `host` (String, Sensitive) PostgreSQL host IP or name.
 - `password` (String, Sensitive) PostgreSQL admin user password.
-- `port` (Number) PostgreSQL port.
-- `sslmode` (String) PostgreSQL SSL mode setting.
-- `user` (String) PostgreSQL admin user name.
+- `port` (Number, Sensitive) PostgreSQL port.
+- `sslmode` (String, Sensitive) PostgreSQL SSL mode setting.
+- `user` (String, Sensitive) PostgreSQL admin user name.
 
 
 

docs/resources/redis.md

@@ -78,13 +78,13 @@ resource "aiven_redis" "redis1" {
 
 Optional:
 
-- `slave_uris` (List of String) Redis slave server URIs.
-- `uris` (List of String) Redis server URIs.
+- `slave_uris` (List of String, Sensitive) Redis slave server URIs.
+- `uris` (List of String, Sensitive) Redis server URIs.
 
 Read-Only:
 
 - `password` (String, Sensitive) Redis password.
-- `replica_uri` (String) Redis replica server URI.
+- `replica_uri` (String, Sensitive) Redis replica server URI.
 
 
 <a id="nestedblock--redis_user_config"></a>

docs/resources/thanos.md

@@ -90,7 +90,7 @@ Required:
 
 Optional:
 
-- `uris` (List of String) Thanos server URIs.
+- `uris` (List of String, Sensitive) Thanos server URIs.
 
 Read-Only:
 

docs/resources/valkey.md

@@ -115,13 +115,13 @@ Optional:
 
 Optional:
 
-- `slave_uris` (List of String) Valkey slave server URIs.
-- `uris` (List of String) Valkey server URIs.
+- `slave_uris` (List of String, Sensitive) Valkey slave server URIs.
+- `uris` (List of String, Sensitive) Valkey server URIs.
 
 Read-Only:
 
 - `password` (String, Sensitive) Valkey password.
-- `replica_uri` (String) Valkey replica server URI.
+- `replica_uri` (String, Sensitive) Valkey replica server URI.
 
 
 <a id="nestedblock--valkey_user_config"></a>

internal/sdkprovider/provider/provider.go

@@ -286,6 +286,10 @@ func Provider(version string) *schema.Provider {
 		addBeta(p.DataSourcesMap, betaResources...)...,
 	)
 
+	// Marks sensitive fields recursively
+	markSensitive(p.ResourcesMap, false)
+	markSensitive(p.DataSourcesMap, false)
+
 	if missing != nil {
 		panic(fmt.Errorf("not all beta resources/datasources are found: %s", strings.Join(missing, ", ")))
 	}
@@ -331,3 +335,23 @@ func addBeta(m map[string]*schema.Resource, keys ...string) (missing []string) {
 	}
 	return missing
 }
+
+// markSensitive Recursively marks attributes of sensitive blocks as sensitive due to an issue in Terraform
+// https://github.com/hashicorp/terraform-plugin-sdk/issues/201
+func markSensitive(m map[string]*schema.Resource, sensitive bool) {
+	for _, v := range m {
+		markSensitiveResource(v, sensitive)
+	}
+}
+
+func markSensitiveResource(r *schema.Resource, sensitive bool) {
+	for _, parent := range r.Schema {
+		parent.Sensitive = parent.Sensitive || sensitive
+		switch child := parent.Elem.(type) {
+		case *schema.Resource:
+			markSensitiveResource(child, parent.Sensitive)
+		case *schema.Schema:
+			child.Sensitive = child.Sensitive || sensitive
+		}
+	}
+}