feat: mark password fields as sensitive in dedicated server resources (#515)

- Add Sensitive: true to password field in dedicatedserver/credential_resource.go
- Add Sensitive: true to password field in dedicatedserver/installation_resource.go
- Add schema unit tests to verify password fields are marked as sensitive
- Update documentation to reflect sensitive attribute

Fixes #6

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Imtiaz Ahmed <imtiazPabel@users.noreply.github.com>

Author: imtiazPabel

docs/resources/dedicated_server_credential.md

@@ -28,6 +28,6 @@ resource "leaseweb_dedicated_server_credential" "example" {
 ### Required
 
 - `dedicated_server_id` (String) The ID of the dedicated server.
-- `password` (String) The password for the credentials
+- `password` (String, Sensitive) The password for the credentials
 - `type` (String) The type of the credential. Valid options are: "OPERATING_SYSTEM", "CONTROL_PANEL", "REMOTE_MANAGEMENT", "RESCUE_MODE", "SWITCH", "PDU", "FIREWALL", "LOAD_BALANCER"
 - `username` (String) The username for the credentials

docs/resources/dedicated_server_installation.md

@@ -49,7 +49,7 @@ resource "leaseweb_dedicated_server_installation" "example" {
 - `device` (String) Block devices in a disk set in which the partitions will be installed. Supported values are any disk set id, `SATA_SAS` or `NVME`.
 - `hostname` (String) Hostname to be used in your installation
 - `partitions` (Attributes List) (see [below for nested schema](#nestedatt--partitions))
-- `password` (String) Server root password. If not provided, it would be automatically generated
+- `password` (String, Sensitive) Server root password. If not provided, it would be automatically generated
 - `post_install_script` (String) A valid bash script to run right after the installation.
 - `power_cycle` (Boolean) If true, allows system reboots to happen automatically within the process. Otherwise, you should do them manually
 - `raid` (Attributes) (see [below for nested schema](#nestedatt--raid))

internal/provider/dedicatedserver/credential_resource.go

@@ -71,6 +71,7 @@ func (c *credentialResource) Schema(
 			},
 			"password": schema.StringAttribute{
 				Required:    true,
+				Sensitive:   true,
 				Description: `The password for the credentials`,
 			},
 		},

internal/provider/dedicatedserver/installation_resource.go

@@ -206,6 +206,7 @@ func (i *installationResource) Schema(
 			"password": schema.StringAttribute{
 				Description: "Server root password. If not provided, it would be automatically generated",
 				Optional:    true,
+				Sensitive:   true,
 				PlanModifiers: []planmodifier.String{
 					stringplanmodifier.RequiresReplace(),
 				},

internal/provider/provider_test.go

@@ -8,10 +8,12 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-framework/provider"
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
+	frameworkresource "github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-go/tfprotov6"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/leaseweb/terraform-provider-leaseweb/internal/provider/dedicatedserver"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -80,6 +82,38 @@ func TestLeasewebProvider_Schema(t *testing.T) {
 	)
 }
 
+func TestDedicatedServerCredentialResource_Schema(t *testing.T) {
+	credentialResource := dedicatedserver.NewCredentialResource()
+	schemaResponse := frameworkresource.SchemaResponse{}
+	credentialResource.Schema(
+		context.TODO(),
+		frameworkresource.SchemaRequest{},
+		&schemaResponse,
+	)
+
+	assert.True(
+		t,
+		schemaResponse.Schema.Attributes["password"].IsSensitive(),
+		"password is sensitive",
+	)
+}
+
+func TestDedicatedServerInstallationResource_Schema(t *testing.T) {
+	installationResource := dedicatedserver.NewInstallationResource()
+	schemaResponse := frameworkresource.SchemaResponse{}
+	installationResource.Schema(
+		context.TODO(),
+		frameworkresource.SchemaRequest{},
+		&schemaResponse,
+	)
+
+	assert.True(
+		t,
+		schemaResponse.Schema.Attributes["password"].IsSensitive(),
+		"password is sensitive",
+	)
+}
+
 func TestAccPublicCloudInstancesDataSource(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,