From 32fc29ced923e4623317e2ba80485da4c4127040 Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Fri, 8 Sep 2023 16:44:24 -0500
Subject: [PATCH 1/2] auth/approle: set sensitive for secret values

---
 vault/resource_approle_auth_backend_login.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vault/resource_approle_auth_backend_login.go b/vault/resource_approle_auth_backend_login.go
index a7fe36284..6a193b07f 100644
--- a/vault/resource_approle_auth_backend_login.go
+++ b/vault/resource_approle_auth_backend_login.go
@@ -36,6 +36,7 @@ func approleAuthBackendLoginResource() *schema.Resource {
 				Optional:    true,
 				Description: "The SecretID to log in with.",
 				ForceNew:    true,
+				Sensitive:   true,
 			},
 			"policies": {
 				Type:     schema.TypeList,
@@ -69,6 +70,7 @@ func approleAuthBackendLoginResource() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "The token.",
+				Sensitive:   true,
 			},
 			consts.FieldMetadata: {
 				Type:        schema.TypeMap,

From 310556f9e872710fd42e1b8f4742d59954c04280 Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Fri, 8 Sep 2023 16:47:43 -0500
Subject: [PATCH 2/2] add changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66bc2a549..64415e374 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ FEATURES:
 BUGS:
 * Fix duplicate timestamp and incorrect level messages: ([#2031](https://github.com/hashicorp/terraform-provider-vault/pull/2031))
 
+IMPROVEMENTS:
+* Ensure sensitive values are masked in `vault_approle_auth_backend_login` plan output ([#2008](https://github.com/hashicorp/terraform-provider-vault/pull/2008))
+
 ## 3.20.1 (Sep 13, 2023)
 IMPROVEMENTS:
 * Update dependencies ([#1958](https://github.com/hashicorp/terraform-provider-vault/pull/1958))