mark kube_config and kube_admin_config as sensitive with env variable

internal/services/containers/kubernetes_cluster_data_source.go

@@ -877,6 +877,88 @@ func dataSourceKubernetesCluster() *pluginsdk.Resource {
 		}
 	}
 
+	if features.KubeConfigsAreSensitive() {
+		resource.Schema["kube_config"] = &pluginsdk.Schema{
+			Type:      pluginsdk.TypeList,
+			Computed:  true,
+			Sensitive: true,
+			Elem: &pluginsdk.Resource{
+				Schema: map[string]*pluginsdk.Schema{
+					"host": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"username": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"password": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"client_certificate": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"client_key": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"cluster_ca_certificate": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+				},
+			},
+		}
+
+		resource.Schema["kube_admin_config"] = &pluginsdk.Schema{
+			Type:      pluginsdk.TypeList,
+			Computed:  true,
+			Sensitive: true,
+			Elem: &pluginsdk.Resource{
+				Schema: map[string]*pluginsdk.Schema{
+					"host": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"username": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"password": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"client_certificate": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"client_key": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+					"cluster_ca_certificate": {
+						Type:      pluginsdk.TypeString,
+						Computed:  true,
+						Sensitive: true,
+					},
+				},
+			},
+		}
+	}
+
 	return resource
 }
 

internal/services/containers/kubernetes_cluster_data_source_test.go

@@ -39,6 +39,35 @@ func TestAccDataSourceKubernetesCluster_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceKubernetesCluster_basicSensitive(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test")
+	r := KubernetesClusterDataSource{}
+
+	os.Setenv("ARM_AKS_KUBE_CONFIGS_SENSITIVE", "true")
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.basicConfig(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("kube_config.0.client_key").Exists(),
+				check.That(data.ResourceName).Key("kube_config.0.client_certificate").Exists(),
+				check.That(data.ResourceName).Key("kube_config.0.cluster_ca_certificate").Exists(),
+				check.That(data.ResourceName).Key("kube_config.0.host").Exists(),
+				check.That(data.ResourceName).Key("kube_config.0.username").Exists(),
+				check.That(data.ResourceName).Key("kube_config.0.password").Exists(),
+				check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("0"),
+				check.That(data.ResourceName).Key("kube_admin_config_raw").HasValue(""),
+				check.That(data.ResourceName).Key("kubelet_identity.0.object_id").Exists(),
+				check.That(data.ResourceName).Key("kubelet_identity.0.client_id").Exists(),
+				check.That(data.ResourceName).Key("kubelet_identity.0.user_assigned_identity_id").Exists(),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("SystemAssigned"),
+				check.That(data.ResourceName).Key("identity.0.principal_id").Exists(),
+				check.That(data.ResourceName).Key("identity.0.tenant_id").Exists(),
+			),
+		},
+	})
+}
+
 func TestAccDataSourceKubernetesCluster_privateCluster(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_kubernetes_cluster", "test")
 
@@ -127,6 +156,49 @@ func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAAD(t *testing.T)
 	}
 }
 
+func TestAccDataSourceKubernetesCluster_roleBasedAccessControlAADSensitive(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test")
+	r := KubernetesClusterDataSource{}
+	clientId := os.Getenv("ARM_CLIENT_ID")
+	clientSecret := os.Getenv("ARM_CLIENT_SECRET")
+	tenantId := os.Getenv("ARM_TENANT_ID")
+
+	os.Setenv("ARM_AKS_KUBE_CONFIGS_SENSITIVE", "true")
+
+	if !features.ThreePointOhBeta() {
+		data.DataSourceTest(t, []acceptance.TestStep{
+			{
+				Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId),
+				Check: acceptance.ComposeTestCheckFunc(
+					check.That(data.ResourceName).Key("role_based_access_control.#").HasValue("1"),
+					check.That(data.ResourceName).Key("role_based_access_control.0.enabled").HasValue("true"),
+					check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.#").HasValue("1"),
+					check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.client_app_id").Exists(),
+					check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.server_app_id").Exists(),
+					check.That(data.ResourceName).Key("role_based_access_control.0.azure_active_directory.0.tenant_id").Exists(),
+					check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"),
+					check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(),
+				),
+			},
+		})
+	} else {
+		data.DataSourceTest(t, []acceptance.TestStep{
+			{
+				Config: r.roleBasedAccessControlAADConfig(data, clientId, clientSecret, tenantId),
+				Check: acceptance.ComposeTestCheckFunc(
+					check.That(data.ResourceName).Key("role_based_access_control_enabled").HasValue("true"),
+					check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.#").HasValue("1"),
+					check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.client_app_id").Exists(),
+					check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.server_app_id").Exists(),
+					check.That(data.ResourceName).Key("azure_active_directory_role_based_access_control.0.tenant_id").Exists(),
+					check.That(data.ResourceName).Key("kube_admin_config.#").HasValue("1"),
+					check.That(data.ResourceName).Key("kube_admin_config_raw").Exists(),
+				),
+			},
+		})
+	}
+}
+
 func TestAccDataSourceKubernetesCluster_localAccountDisabled(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azurerm_kubernetes_cluster", "test")
 	r := KubernetesClusterDataSource{}

website/docs/d/kubernetes_cluster.html.markdown

@@ -66,10 +66,14 @@ The following attributes are exported:
 
 * `kube_admin_config` - A `kube_admin_config` block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts are not disabled.
 
+~> **NOTE:** To mark the whole of `kube_admin_config` as Sensitive in State, set the environment variable `ARM_AKS_KUBE_CONFIGS_SENSITIVE` to `true`. Any values from this block used in `outputs` will then also need to be marked as sensitive.
+
 * `kube_admin_config_raw` - Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts are not disabled.
 
 * `kube_config` - A `kube_config` block as defined below.
 
+~> **NOTE:** To mark the whole of `kube_config` as Sensitive in State, set the environment variable `ARM_AKS_KUBE_CONFIGS_SENSITIVE` to `true`. Any values from this block used in `outputs` will then also need to be marked as sensitive.
+
 * `kube_config_raw` - Base64 encoded Kubernetes configuration.
 
 * `kubernetes_version` - The version of Kubernetes used on the managed Kubernetes Cluster.