No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi there!

I am observing something really odd for a Pulumi provider based on <https://github.com/pulumi/pulumi-go-provider>

We have some somewhat deeply nested resource, That looks somewhat like this (excuse the not so formal scheme):

```{
  orgID: "UUID",
  shards: [
    {
      "ca_service" : {
        "vault": {
          "credentials": {
            "role_id": "UUID",
            "secret_id_ref": "UUID",  &lt;- not secret according to the provider schema
          }
        }
      }
    },
  ]
}```
Now, in the resources that we create with pulumi, we use the output of a resource that contains secrets as the input in  `shards[].ca_service.vault.credentials.secret_id_ref`. (However, the field that we access is not marked as secret in the schema)

In our schema, the secret_id_ref is *not* marked as secret, however, in the stack, it always appears as secret.
This has some strange side-effects. If there is more than one shard, we always see a diff on the `shards` field because it is marked as secret.
If there is only one shard, we do not see this diff.

Now, here is my question. Is there a way to figure out why Pulumi recognizes secret_id_ref as secret?
Could it be, because of the field name?