labd
Subscription Resource Stores Access Key Unencrypted in State
The subscription resource type requires a parameter access_secret which is stored in the state file in plaintext. While the state file can be encrypted, Terraform's own iam_access_key resource suggest supplying a PGP key that can be used to additionally encrypt the secret before storing it in state.
Terraforms management of secrets in state does seem to cause a fair bit of debate - and it has been proposed that some encrypt / decrypt interpolation functions should be added to Terraform core https://github.com/hashicorp/terraform/issues/15434.
I'm not sure if maybe there is a middle-ground position that we could take in the meantime? Perhaps adding another optional parameters access_secret_encrypted?
Yes, this seems like it's a good idea! The implementation is actually relatively straightforward: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_access_key.go#L88
I'm not sure when we would be able to add this (but of course contributions are also welcomed ;) ).
