local_file: sensitive_content argument

Sometimes local_file is used to generate files containing sensitive content.

This new alternative argument, which can be used in place of content, will prevent such sensitive content from being displayed in diff output. It conflicts with the existing "content" argument, and so users must choose either one or the other.

Author: alewando

local/resource_local_file.go

@@ -18,9 +18,17 @@ func resourceLocalFile() *schema.Resource {
 
 		Schema: map[string]*schema.Schema{
 			"content": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"sensitive_content"},
+			},
+			"sensitive_content": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				Sensitive:     true,
+				ConflictsWith: []string{"content"},
 			},
 			"filename": {
 				Type:        schema.TypeString,
@@ -57,8 +65,19 @@ func resourceLocalFileRead(d *schema.ResourceData, _ interface{}) error {
 	return nil
 }
 
+func resourceLocalFileContent(d *schema.ResourceData) string {
+	content := d.Get("content")
+	sensitiveContent, sensitiveSpecified := d.GetOk("sensitive_content")
+	useContent := content.(string)
+	if sensitiveSpecified {
+		useContent = sensitiveContent.(string)
+	}
+
+	return useContent
+}
+
 func resourceLocalFileCreate(d *schema.ResourceData, _ interface{}) error {
-	content := d.Get("content").(string)
+	content := resourceLocalFileContent(d)
 	destination := d.Get("filename").(string)
 
 	destinationDir := path.Dir(destination)

local/resource_local_file_test.go

@@ -23,6 +23,14 @@ func TestLocalFile_Basic(t *testing.T) {
 			`resource "local_file" "file" {
          content     = "This is some content"
          filename    = "local_file"
+      }`,
+		},
+		{
+			"local_file",
+			"This is some sensitive content",
+			`resource "local_file" "file" {
+         sensitive_content     = "This is some sensitive content"
+         filename    = "local_file"
       }`,
 		},
 	}

website/docs/r/file.html.md

@@ -29,7 +29,9 @@ resource "local_file" "foo" {
 
 The following arguments are supported:
 
-* `content` - (Required) The content of file to create.
+* `content` - (Optional) The content of file to create. Conflicts with `sensitive_content`.
+
+* `sensitive_content` - (Optional) The content of file to create. Will not be displayed in diffs. Conflicts with `content`.
 
 * `filename` - (Required) The path of the file to create.