aws.secretsmanager.getSecretVersion doesn't mark secretString and secretBinary as sensitive

[pbzdyl]

Related Slack discussion: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1618397713307500

It seems that aws.secretsmanager.getSecretVersion data source doesn't mark secretString and secretBinary as sensitive attributes and they get stored in the state in plaintext rather than encrypted with the stack encryption provider.

Also if one of these attributes is exposed as a stack output or as input to another resource, it also is stored in plain in the stack output or another resource input data in the state.

import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";

const config = new pulumi.Config();

const secretVersion = aws.secretsmanager.getSecretVersion({
    secretId: config.require("secretArn"),
});

export const secretString = secretVersion.then(secretVersion => secretVersion.secretString);

[leezen]

@pbzdyl For now, you wrap the promise with pulumi.secret to ensure it gets marked as secret.

[t0yv0]

Currently impossible to fix in the provider as it needs pulumi/pulumi#12710