Mark some fields as secret (#790)

Fixes #773.

Author: blampe

provider/cmd/pulumi-resource-command/schema.json

@@ -88,7 +88,8 @@
         },
         "password": {
           "type": "string",
-          "description": "The password we should use for the connection."
+          "description": "The password we should use for the connection.",
+          "secret": true
         },
         "perDialTimeout": {
           "type": "integer",
@@ -102,11 +103,13 @@
         },
         "privateKey": {
           "type": "string",
-          "description": "The contents of an SSH key to use for the connection. This takes preference over the password if provided."
+          "description": "The contents of an SSH key to use for the connection. This takes preference over the password if provided.",
+          "secret": true
         },
         "privateKeyPassword": {
           "type": "string",
-          "description": "The password to use in case the private key is encrypted."
+          "description": "The password to use in case the private key is encrypted.",
+          "secret": true
         },
         "proxy": {
           "$ref": "#/types/command:remote:ProxyConnection",
@@ -162,7 +165,8 @@
         },
         "password": {
           "type": "string",
-          "description": "The password we should use for the connection to the bastion host."
+          "description": "The password we should use for the connection to the bastion host.",
+          "secret": true
         },
         "perDialTimeout": {
           "type": "integer",
@@ -176,11 +180,13 @@
         },
         "privateKey": {
           "type": "string",
-          "description": "The contents of an SSH key to use for the connection. This takes preference over the password if provided."
+          "description": "The contents of an SSH key to use for the connection. This takes preference over the password if provided.",
+          "secret": true
         },
         "privateKeyPassword": {
           "type": "string",
-          "description": "The password to use in case the private key is encrypted."
+          "description": "The password to use in case the private key is encrypted.",
+          "secret": true
         },
         "user": {
           "type": "string",

provider/pkg/provider/remote/connection.go

@@ -44,11 +44,11 @@ type Connection struct {
 
 type connectionBase struct {
 	User               *string  `pulumi:"user,optional"`
-	Password           *string  `pulumi:"password,optional"`
+	Password           *string  `pulumi:"password,optional" provider:"secret"`
 	Host               *string  `pulumi:"host"`
 	Port               *float64 `pulumi:"port,optional"`
-	PrivateKey         *string  `pulumi:"privateKey,optional"`
-	PrivateKeyPassword *string  `pulumi:"privateKeyPassword,optional"`
+	PrivateKey         *string  `pulumi:"privateKey,optional" provider:"secret"`
+	PrivateKeyPassword *string  `pulumi:"privateKeyPassword,optional" provider:"secret"`
 	AgentSocketPath    *string  `pulumi:"agentSocketPath,optional"`
 	DialErrorLimit     *int     `pulumi:"dialErrorLimit,optional"`
 	PerDialTimeout     *int     `pulumi:"perDialTimeout,optional"`

sdk/dotnet/Remote/Inputs/ConnectionArgs.cs

@@ -33,11 +33,21 @@ public sealed class ConnectionArgs : global::Pulumi.ResourceArgs
         [Input("host", required: true)]
         public Input<string> Host { get; set; } = null!;
 
+        [Input("password")]
+        private Input<string>? _password;
+
         /// <summary>
         /// The password we should use for the connection.
         /// </summary>
-        [Input("password")]
-        public Input<string>? Password { get; set; }
+        public Input<string>? Password
+        {
+            get => _password;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _password = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
 
         /// <summary>
         /// Max number of seconds for each dial attempt. 0 implies no maximum. Default value is 15 seconds.
@@ -51,17 +61,37 @@ public sealed class ConnectionArgs : global::Pulumi.ResourceArgs
         [Input("port")]
         public Input<double>? Port { get; set; }
 
+        [Input("privateKey")]
+        private Input<string>? _privateKey;
+
         /// <summary>
         /// The contents of an SSH key to use for the connection. This takes preference over the password if provided.
         /// </summary>
-        [Input("privateKey")]
-        public Input<string>? PrivateKey { get; set; }
+        public Input<string>? PrivateKey
+        {
+            get => _privateKey;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _privateKey = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        [Input("privateKeyPassword")]
+        private Input<string>? _privateKeyPassword;
 
         /// <summary>
         /// The password to use in case the private key is encrypted.
         /// </summary>
-        [Input("privateKeyPassword")]
-        public Input<string>? PrivateKeyPassword { get; set; }
+        public Input<string>? PrivateKeyPassword
+        {
+            get => _privateKeyPassword;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _privateKeyPassword = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
 
         /// <summary>
         /// The connection settings for the bastion/proxy host.

sdk/dotnet/Remote/Inputs/ProxyConnectionArgs.cs

@@ -33,11 +33,21 @@ public sealed class ProxyConnectionArgs : global::Pulumi.ResourceArgs
         [Input("host", required: true)]
         public Input<string> Host { get; set; } = null!;
 
+        [Input("password")]
+        private Input<string>? _password;
+
         /// <summary>
         /// The password we should use for the connection to the bastion host.
         /// </summary>
-        [Input("password")]
-        public Input<string>? Password { get; set; }
+        public Input<string>? Password
+        {
+            get => _password;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _password = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
 
         /// <summary>
         /// Max number of seconds for each dial attempt. 0 implies no maximum. Default value is 15 seconds.
@@ -51,17 +61,37 @@ public sealed class ProxyConnectionArgs : global::Pulumi.ResourceArgs
         [Input("port")]
         public Input<double>? Port { get; set; }
 
+        [Input("privateKey")]
+        private Input<string>? _privateKey;
+
         /// <summary>
         /// The contents of an SSH key to use for the connection. This takes preference over the password if provided.
         /// </summary>
-        [Input("privateKey")]
-        public Input<string>? PrivateKey { get; set; }
+        public Input<string>? PrivateKey
+        {
+            get => _privateKey;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _privateKey = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        [Input("privateKeyPassword")]
+        private Input<string>? _privateKeyPassword;
 
         /// <summary>
         /// The password to use in case the private key is encrypted.
         /// </summary>
-        [Input("privateKeyPassword")]
-        public Input<string>? PrivateKeyPassword { get; set; }
+        public Input<string>? PrivateKeyPassword
+        {
+            get => _privateKeyPassword;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _privateKeyPassword = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
 
         /// <summary>
         /// The user that we should use for the connection to the bastion host.