Add write-only arguments for sensitive datadog_integration_* attributes

[chris-pinola-rf]

What resources or data sources are affected?

• datadog_integration_azure (client_secret)
• datadog_integration_cloudflare_account (api_key)
• datadog_integration_confluent_account (api_secret)
• datadog_integration_fastly_account (api_key)
• datadog_integration_gcp (private_key)
• datadog_integration_opsgenie_service_object (opsgenie_api_key)
• datadog_integration_pagerduty (api_token)

Feature Request

Terraform v1.11 introduced write-only arguments which support ephemeral values. Ephemeral values are a great way to keep sensitive values out of Terraform state files. Adding a write-only argument to the datadog_integration_* resources would be very helpful for the various API keys/tokens/secrets involved in provisioning Datadog integrations. This would help to prevent leaking those secrets in Terraform state files.

My intended use case is to eventually be able to fetch a secret from an instance of Azure KeyVault via the ephemeral key_vault_secret resource and pass it to a write-only argument on the datadog_integration_cloudflare_account resource to define the API token.

References

#2916 is about exposing Datadog-originated secrets via ephemeral resources, whereas this request is about enabling the Datadog Terraform provider to receive ephemeral resources from other providers.