Hi everyone! Is it correct that aws.secretsmanager.getSecretVersion returns an object that doesn't mark

secretBinary

and

secretString

as sensitive values? I am using them as input values to my resources managed with a dynamic provider and it seems the input that got the value from

GetSecretVersionResult.secretString

is stored in the state unencrypted. It seems like a bug in the GetSecretVersion datasource.

This is definitely a bug, sorry about that. Can you open an issue in the pulumi-aws repo with a repro?

Done: https://github.com/pulumi/pulumi-aws/issues/1449