Related to coder/terraform-provider-coder#194

We should do this. Thanks @michaelbrewer!

I am up for any kind of solution that can be done in the short term:

• ephemeral might be a way to allow for sensitive values to be passed with without being stored, but the end-user will need to re-enter them on restarts.
• hidden type of option to not include in insights
• masked / sensitive to ensure it is never shown logs, insights etc
• secret would be ideal, but will depend on some kind of vault integration.

@michaelbrewer why do you want to use a coder_parameter for this? If its a sensitive and fixed for each user or can be fetched via an API, then a better way to do it is by using a secret management service like vault.

For insights there should at least be a way for coder_parameters to be opted out of the insights "Parameters usage", whether they are secrets or sensitive fields.

Some secrets only an end-user will know. So user level secret management would work, whether we do this via a Hashicorp value or AWS KMS or AWS Secret Manager, would be fine. Yes, the fact the end-user even needs to know a secret is probably not good. But sometimes where is no way round it, and this would be user-scoped secrets, and not service user accounts for deployments.

In some cases, integration could be handled at the provider level (like nexus) or via OpenID Connect level like Git and Artifactory.

Regarding a template:

• terraform variables is not always an option, as these are user scoped creds.
• openid connect is not always available
• coder_parameter do allow user input fields, but can't be hidden, masked or encrypted.
• template parameter that can reference secrets scoped to a user would be great

I have logged and voted for various related issues, but this feature exposes all coder_parameters in a single api call or page.

This is a great request we get pretty frequently. Will be a part of our Magic Parameters effort.