[Feature] Add databricks_secret write-only attributes

[ashenm]

Changes

Add string_value_wo and string_value_wo_version ephemeral attributes to databricks_secret resource allowing write-only secret value population avoiding secret value being written to state

Tests

Tested via unit-tests and also deployed locally using local provider build

• make test run locally
• relevant change in docs/ folder
• covered with integration tests in internal/acceptance
• using Go SDK
• using TF Plugin Framework
• has entry in NEXT_CHANGELOG.md file

[rauchy]

@ashenm Thanks for the PR!

The write-only approach makes sense, but I'm not a fan of changing provider infrastructure (common/resource.go, qa/) for this - that affects every resource in the provider and I'd rather keep the blast radius small.

I think you may avoid all of that by adding an Update handler to the resource. PutSecret is already an upsert so it'd be basically the same as Create. That makes the resource CRUD instead of CRD, which means the ForceNew loop in common/resource.go won't kick in and you don't need to patch it. As a bonus, string_value_wo_version wouldn't need ForceNew either - bumping it would just trigger an update instead of destroy+recreate, which is nicer for users doing secret rotation.

[ashenm]

@rauchy yep make sense; updated to CRUD as suggested removing common/ changes. Leaving the qa/ changes as it's required to mimic the actual behaviour of RawConfig for tests

[github-actions]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/terraform

Inputs:

• PR number: 5480
• Commit SHA: a7cb18ab9672e5951a50dcc38796c5a33c2dc36e

Checks will be approved automatically on success.