From f577a5483e11a8e10419faddaf4c3679a84110d2 Mon Sep 17 00:00:00 2001
From: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
Date: Mon, 20 May 2024 15:22:50 +0300
Subject: [PATCH] Generate the corresponding Kubernetes secret references for
 the sensitive Terraform configuration arguments also under the
 spec.initProvider API tree.

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
---
 pkg/resource/sensitive.go | 2 +-
 pkg/types/field.go        | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/resource/sensitive.go b/pkg/resource/sensitive.go
index 54959e9e..8e21aada 100644
--- a/pkg/resource/sensitive.go
+++ b/pkg/resource/sensitive.go
@@ -127,7 +127,7 @@ func GetSensitiveAttributes(from map[string]any, mapping map[string]string) (map
 			// Note(turkenh): k8s secrets uses a strict regex to validate secret
 			// keys which does not allow having brackets inside. So, we need to
 			// do a conversion to be able to store as connection secret keys.
-			// See https://github.com/crossplane/upjet/pull/94 for
+			// See https://github.com/crossplane/terrajet/pull/94 for
 			// more details.
 			k, err := fieldPathToSecretKey(fp)
 			if err != nil {
diff --git a/pkg/types/field.go b/pkg/types/field.go
index b85812be..130cbd4e 100644
--- a/pkg/types/field.go
+++ b/pkg/types/field.go
@@ -50,6 +50,9 @@ type Field struct {
 	// Injected is set if this Field is an injected field to the Terraform
 	// schema as an object list map key for server-side apply merges.
 	Injected bool
+	// Sensitive is set if this Field holds sensitive data and is thus
+	// generated as a secret reference.
+	Sensitive bool
 }
 
 // getDocString tries to extract the documentation string for the specified
@@ -268,6 +271,7 @@ func NewSensitiveField(g *Builder, cfg *config.Resource, r *resource, sch *schem
 	if err != nil {
 		return nil, false, err
 	}
+	f.Sensitive = true
 
 	if IsObservation(f.Schema) {
 		cfg.Sensitive.AddFieldPath(traverser.FieldPathWithWildcard(f.TerraformPaths), "status.atProvider."+traverser.FieldPathWithWildcard(f.CRDPaths))
@@ -415,7 +419,7 @@ func (f *Field) AddToResource(g *Builder, r *resource, typeNames *TypeNames, add
 // an earlier step, so they cannot be included as well. Plus probably they
 // should also not change for Create and Update steps.
 func (f *Field) isInit() bool {
-	return !f.Identifier && (f.TFTag != "-" || f.Injected)
+	return !f.Identifier && (f.TFTag != "-" || f.Injected || f.Sensitive)
 }
 
 func getDescription(s string) string {