feature request: support ephemeral values on `azapi_resource_action` action and resource

[rafabu]

Feature Request: Support sensitive_body and sensitive_body_version with azapi_resource_action action, resource and potentially ephemeral blocks

Use Case

Managing ephemeral secrets (like VPN pre-shared keys etc.) that should:

• Never be stored in Terraform state
• Only be updated when explicitly triggered via lifecycle events
• Use ephemeral resources for generation

Current Limitation

action "azapi_resource_action" "preshared_key_put" {
  config {
    type        = "Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys@2025-03-01"
    resource_id = "${local.vpnLinkKeyId}/sharedKeys/default"
    method      = "PUT"

    body = {
      properties = {}
    }

    # ❌ Not supported
    sensitive_body = {
      properties = {
        sharedKey = ephemeral.random_password.link_connection_shared_key[local.vpnLinkKeyId].result
      }
    }
  }

resource "azapi_resource_action" "preshared_key_put" {
  config {
    type        = "Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys@2025-03-01"
    resource_id = "${local.vpnLinkKeyId}/sharedKeys/default"
    method      = "PUT"

    body = {
      properties = {}
    }

    # ❌ Not supported
    sensitive_body = {
      properties = {
        sharedKey = ephemeral.random_password.link_connection_shared_key[local.vpnLinkKeyId].result
      }
    }
    # ❌ Not supported
    sensitive_body_version = {
      "properties.sharedKey" = terraform_data.link_connection_shared_key_version[local.vpnLinkKeyId].output.key_version
    }
  }
}

 # ❌ Renews (and writes new, ephemeral secret) on each apply, not only when action is required)
ephemeral "azapi_resource_action" "preshared_key_put" {

  type        = "Microsoft.Network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKeys@2025-03-01"
  resource_id = "${local.vpnLinkKeyId}/sharedKeys/default"
  method      = "PUT"

  body = {
    properties = {
      sharedKey =  ephemeral.random_password.link_connection_shared_key[local.vpnLinkKeyId].result
    }
  }
}

Workaround Required

Currently must use azapi_update_resource which:

• Creates a managed resource in state (even though data is encrypted)
• Is less intuitive for one-time operations
• Doesn't align with the action pattern
• Does not support other operations than 'PATCH' (method)

Using the ephemeral azapi_resource_action does not serve the purpose as it will update on every apply.

Proposed Solution

Add sensitive_body support to action blocks, mirroring the existing implementation in azapi_resource and azapi_update_resource. Action probably does not need to support sensitive_body_version as the trigger logic should really happen in the resource calling the action.

Consider adding both, sensitive_body and sensitive_body_version to the resource azapi_update_resource and maybe the ephemeral azapi_update_resource. This would allow similar, secure patterns for users that cannot yet make use of an action block.

Benefits

1. True ephemeral secret management
2. Better alignment with Terraform 1.10+ patterns
3. Cleaner separation between managed resources and operations
4. Consistency across AzAPI provider resources

References

• azapi_resource already supports sensitive_body
• azapi_update_resource already supports sensitive_body
• Action blocks support lifecycle triggers
• 988 - which I believe could have been closed as the action support was released with v2.8.0