Mark tokens as sensitive in data sources

blink-so[bot] · matifali · blink-so[bot] · commit 367ebca1659e · 2025-06-27T14:14:35.000Z
Mark the following attributes as sensitive to prevent them from being logged or displayed in Terraform output: - data.coder_workspace_owner.me.oidc_access_token - data.coder_workspace_owner.me.session_token - data.coder_external_auth.example.access_token This follows the same pattern as ssh_private_key and agent token which are already marked as sensitive. Fixes #266 Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
diff --git a/provider/externalauth.go b/provider/externalauth.go
@@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
 				Computed:    true,
+				Sensitive:   true,
 			},
 			"optional": {
 				Type:        schema.TypeBool,
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
@@ -113,13 +113,15 @@ func workspaceOwnerDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
+				Sensitive:   true,
 			},
 			"oidc_access_token": {
 				Type:     schema.TypeString,
 				Computed: true,
 				Description: "A valid OpenID Connect access token of the workspace owner. " +
 					"This is only available if the workspace owner authenticated with OpenID Connect. " +
 					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
 			},
 			"login_type": {
 				Type:        schema.TypeString,
