DOC-1928: Document write-only attributes for Terraform provider

[kbatuigas]

Adds guidance for the password_wo / password_wo_version pattern shipped in provider v1.6.0 (PR #303) and updates Schema Registry HCL examples to use the write-only variants.

Description

Resolves https://github.com/redpanda-data/documentation-private/issues/
Review deadline:

Page previews

https://deploy-preview-566--rp-cloud.netlify.app/redpanda-cloud/manage/terraform-provider/

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	5d65743
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/69f28a0fc935e500088597bd
😎 Deploy Preview	https://deploy-preview-566--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5cfb423-8e16-413b-bbfa-6d3389442933

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Documentation updates to the Terraform provider guide introducing Terraform 1.11+ write-only attributes for sensitive fields. Adds new documentation explaining required provider/CLI versions, the <field>_wo and <field>_wo_version mechanism for update/rotation, and a mapping table of plaintext-to-write-only field conversions. Updates existing Schema Registry management examples across redpanda_user, redpanda_schema, and redpanda_schema_registry_acl resources to replace plaintext password usage with password_wo and password_wo_version, with updated explanatory text directing users to the new write-only guidance and a note about backward compatibility with older Terraform versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: documenting write-only attributes for the Terraform provider, which aligns with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description is mostly complete with title, objective, and page preview link provided, though the issue number placeholder was not filled and the review deadline is blank.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-1928-write-only-attributes-terraform

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

modules/manage/pages/terraform-provider.adoc (2)

689-735: Consider defining var.schema_password in this example.

Similar to the earlier Schema Registry example, this combined example references var.schema_password in multiple places (lines 696, 719, 720, 733, 734) but does not define the variable. Users copying this example might encounter an undefined variable error.

📝 Suggested improvement: Add variable definition

Add this variable definition at the beginning of the example:

[source,hcl]
----
variable "schema_password" {
  description = "Password for the Schema Registry user"
  sensitive   = true
}

data "redpanda_cluster" "byoc" {
  id = "byoc-cluster-id"
}

Or add a note:

NOTE: This example uses `var.schema_password`. Define it as a sensitive variable as shown in <<manage-sensitive-attributes-with-write-only-fields>>.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/manage/pages/terraform-provider.adoc` around lines 689 - 735, The
example references var.schema_password in redpanda_user.schema_user,
redpanda_schema.user_events, and redpanda_schema_registry_acl.user_events_acl
but never defines it; add a variable declaration for schema_password (sensitive
= true) at the start of the example or add a NOTE instructing users to define
var.schema_password (see manage-sensitive-attributes-with-write-only-fields) so
the HCL snippet is runnable and avoids undefined-variable errors.

---

584-611: Consider defining var.schema_password in this example.

The example references var.schema_password on lines 586, 609, and 610, but the variable is not defined in this code snippet. While the variable definition appears in an earlier standalone example (lines 255-258), users might copy this Schema Registry example in isolation and encounter an undefined variable error.

📝 Suggested improvement: Add variable definition to make example self-contained

Add this variable definition before the data "redpanda_cluster" block:

[source,hcl]
----
variable "schema_password" {
  description = "Password for the Schema Registry user"
  sensitive   = true
}

data "redpanda_cluster" "byoc" {
  id = "byoc-cluster-id"
}

Or add a note referencing the earlier example:

NOTE: This example uses `var.schema_password`, which should be defined as a sensitive variable. See <<manage-sensitive-attributes-with-write-only-fields>> for the variable definition.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/manage/pages/terraform-provider.adoc` around lines 584 - 611, The
example uses var.schema_password in redpanda_user.schema_user and
redpanda_schema.user_events but never defines that variable in this snippet; add
a self-contained variable declaration for schema_password (marked sensitive)
before data.redpanda_cluster.byoc or include a brief NOTE pointing readers to
the earlier variable example
(manage-sensitive-attributes-with-write-only-fields) so copying the schema
registry example alone won't produce an undefined variable error.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@modules/manage/pages/terraform-provider.adoc`:
- Around line 689-735: The example references var.schema_password in
redpanda_user.schema_user, redpanda_schema.user_events, and
redpanda_schema_registry_acl.user_events_acl but never defines it; add a
variable declaration for schema_password (sensitive = true) at the start of the
example or add a NOTE instructing users to define var.schema_password (see
manage-sensitive-attributes-with-write-only-fields) so the HCL snippet is
runnable and avoids undefined-variable errors.
- Around line 584-611: The example uses var.schema_password in
redpanda_user.schema_user and redpanda_schema.user_events but never defines that
variable in this snippet; add a self-contained variable declaration for
schema_password (marked sensitive) before data.redpanda_cluster.byoc or include
a brief NOTE pointing readers to the earlier variable example
(manage-sensitive-attributes-with-write-only-fields) so copying the schema
registry example alone won't produce an undefined variable error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5de69b57-e200-4103-baba-28243eb4a708

📥 Commits

Reviewing files that changed from the base of the PR and between 160e580 and 0f039f3.

📒 Files selected for processing (1)

• modules/manage/pages/terraform-provider.adoc

[Feediver1]

Suggested change

The Redpanda Terraform provider (v1.6.0+) now supports https://developer.hashicorp.com/terraform/plugin/framework/resources/write-only-arguments[Terraform 1.11+ write-only attributes^] for sensitive fields such as user passwords and pipeline client secrets. Use the new `<field>_wo` and `<field>_wo_version` attributes to keep credentials out of your `.tfstate` file. See xref:manage:terraform-provider.adoc#manage-sensitive-attributes-with-write-only-fields[Manage sensitive attributes with write-only fields].

The Redpanda Terraform provider (v1.6.0+) now supports https://developer.hashicorp.com/terraform/plugin/framework/resources/write-only-arguments[Terraform 1.11+ write-only attributes^] for sensitive fields such as user passwords and pipeline client secrets. Use the new `password_wo` and `password_wo_version` attributes (and equivalents for other sensitive fields) to keep credentials out of your `.tfstate file`. See xref:manage:terraform-provider.adoc#manage-sensitive-attributes-with-write-only-fields[Manage sensitive attributes with write-only fields].

[Feediver1]

From Claude: What's new entry — wording of _wo
The what's new entry uses angle-bracket placeholders in prose (_wo), which works in technical writing but could be confusing to a non-Terraform reader.

[Feediver1]

Suggested change

You can use https://developer.hashicorp.com/terraform/plugin/framework/resources/write-only-arguments[Terraform 1.11+ write-only attributes^] to keep sensitive values out of your Terraform state file. By default, Terraform persists sensitive attributes such as passwords to `.tfstate` after running `terraform apply` or `terraform plan`. This can leak credentials when state is stored in a remote backend or in CI runner artifacts.

You can use https://developer.hashicorp.com/terraform/plugin/framework/resources/write-only-arguments[Terraform 1.11+ write-only attributes^] to keep sensitive values out of your Terraform state file. By default, Terraform persists sensitive attributes such as passwords to `.tfstate` when you run `terraform apply`. When you store state in a remote backend or in CI runner artifacts, this can leak credentials.

[Feediver1]

Terraform plan does not write to .tfstate. Only apply does.

[Feediver1]

Table inconsistency — redpanda_pipeline breaks the <field>_wo pattern
In the Supported attributes table, the redpanda_pipeline row shows client_secret as the write-only attribute (not client_secret_wo), and secret_version instead of client_secret_wo_version. The "How write-only attributes work" section describes the <field>_wo / <field>_wo_version
naming convention as universal. This inconsistency will confuse readers.

[Feediver1]

Either:

• Update the table note to explain redpanda_pipeline uses a different naming scheme, or
  or
• Add a sentence to "How write-only attributes work" noting the exception

[Feediver1]

Suggested change

	The original plaintext attributes (such as `password`) are deprecated but retained for backwards compatibility. You can migrate to the write-only variants on your own schedule.
	The provider retains the original plaintext attributes for backward compatibility. You can migrate to the write-only variants on your own schedule.

[Feediver1]

Set the variable before running Terraform:

[Feediver1]

^^ Add new lead-in to the bash block

[Feediver1]

Suggested change

	Write-only attributes require:
	* Terraform CLI 1.11 or later
	* Redpanda Terraform provider v1.6.0 or later
	Write-only attributes require Terraform CLI 1.11 or later and Redpanda Terraform provider v1.6.0 or later.

[Feediver1]

Review from Claude (I added comments in context):

Summary: Clear, well-structured addition that explains a genuinely new security feature. The main concerns are one likely technical inaccuracy,
   a broken code flow in one section, and a naming inconsistency in the table.                                                                   
                                                                                                                                                 
  ---                                                                                                                                            
  Issues                                                    
        
  1. Technical inaccuracy — terraform plan does not write to state
  terraform-provider.adoc, new section intro:                                                                                                    
                                                                                                                                                 
  ▎ "By default, Terraform persists sensitive attributes such as passwords to .tfstate after running terraform apply or terraform plan."         
                                                                                                                                                 
  terraform plan does not write to .tfstate. Only apply does. Suggest removing or terraform plan, or rewording:                                  
   
  ▎ "By default, Terraform persists sensitive attributes such as passwords to .tfstate when you run terraform apply."                            
                                                            
  ---                                                                                                                                            
  2. Table inconsistency — redpanda_pipeline breaks the <field>_wo pattern
  In the Supported attributes table, the redpanda_pipeline row shows client_secret as the write-only attribute (not client_secret_wo), and       
  secret_version instead of client_secret_wo_version. The "How write-only attributes work" section describes the <field>_wo / <field>_wo_version
  naming convention as universal. This inconsistency will confuse readers. Either:                                                               
  - Update the table note to explain redpanda_pipeline uses a different naming scheme, or
  - Add a sentence to "How write-only attributes work" noting the exception                                                                      
                                                                                                                                                 
  ---                                                                                                                                            
  3. Orphaned code block — missing intro sentence                                                                                                
  In ==== Store credentials securely, the PR deletes "Then, set the value securely using an environment variable before running Terraform:",     
  leaving the bash block hanging after the HCL variable block with no bridging sentence. Readers won't know what the export does or why it
  follows the HCL block.                                                                                                                         
                                                            
  Suggested fix — add back a brief intro before the bash block:                                                                                  
                                                            
  ▎ "Set the variable before running Terraform:"                                                                                                 
   
  ---                                                                                                                                            
  4. "backwards" → "backward"                               
  terraform-provider.adoc, How write-only attributes work section:

  ▎ "retained for backwards compatibility"                                                                                                       
   
  Per Google style (which the Redpanda style guide follows), use "backward compatibility" (adjective, American English).                         
                                                            
  ---                                                                                                                                            
  5. Passive voice — two instances                          
  - "are deprecated but retained for backwards compatibility" → "The provider retains the original plaintext attributes for backward             
  compatibility."                                                                                                                   
  - "when state is stored in a remote backend or in CI runner artifacts" → "when you store state in a remote backend or in CI runner artifacts"  
                                                            
  ---                                                                                                                                            
  Suggestions
                                                                                                                                                 
  a. What's new entry — wording of <field>_wo               
  The what's new entry uses angle-bracket placeholders in prose (<field>_wo), which works in technical writing but could be confusing to a       
  non-Terraform reader. Consider naming the actual attributes instead:                                                                           
                                                                                                                                                 
  ▎ "Use the new password_wo and password_wo_version attributes (and equivalents for other sensitive fields) to keep credentials out of your     
  ▎ .tfstate file."                                         
                                                                                                                                                 
  b. Plan before apply in the bash example                  
  In "Set a write-only attribute," the intro says terraform apply but a typical workflow runs plan first. The code block only shows terraform 
  apply, which is fine — just remove the implicit suggestion that readers would skip plan.                                                       
   
  c. Intro text before the IMPORTANT admonition                                                                                                  
  The == Manage sensitive attributes with write-only fields section opens directly with an [IMPORTANT] callout, but there's a paragraph before it
   that serves as the intro — this is fine. However, the IMPORTANT box lists requirements using a bulleted list; the style guide recommends      
  keeping admonition content concise. Consider one sentence: "Write-only attributes require Terraform CLI 1.11 or later and Redpanda Terraform
  provider v1.6.0 or later."                                                                                                                     
                                                            
  ---
  What's working well
                     
  - Active voice and second person ("you") used consistently throughout
  - Task-based section headings (=== Set a write-only attribute, === Rotate a write-only attribute) are clear and scannable                      
  - Version requirements use "or later" (correct per style guide)                                                                                
  - The _wo_version rotation explanation is particularly clear — the problem statement (Terraform can't detect write-only changes) comes before  
  the solution (increment the version)                                                                                                           
  - xref anchor in what's new matches the actual heading anchor correctly                                                                        
  - Code blocks all have language specifiers (hcl, bash)

[Feediver1]

Left several update suggestions.