docs: update example to use wo attribute for vault_kv_secret_v2 (#2731)

* update example to use wo attribute and include in docs * changelog: use wo for vault kvv2 secret
2026-01-11 19:46:35 +00:00 · 2026-01-07 15:57:52 -05:00 · 2026-01-07 15:57:52 -05:00 · b187d58a04
commit b187d58a04
parent 19053544a3
2 changed files with 19 additions and 20 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,8 @@ IMPROVEMENTS:
 * Updated dependencies:
  * `github.com/hashicorp/go-secure-stdlib/awsutil` v0.3.0 -> v2.1.1
 * Docs: fix heredoc example for LDAP dynamic role LDIFs ([#2728]https://github.com/hashicorp/terraform-provider-vault/pull/2728)
+* Docs: Update example to use write-only attribute ([#2731]https://github.com/hashicorp/terraform-provider-vault/pull/2731)
+

 BUGS:

--- a/website/docs/r/kv_secret_v2.html.md
+++ b/website/docs/r/kv_secret_v2.html.md
@ -24,16 +24,17 @@ resource "vault_mount" "kvv2" {
 }

 resource "vault_kv_secret_v2" "example" {
-  mount                      = vault_mount.kvv2.path
-  name                       = "secret"
-  cas                        = 1
-  delete_all_versions        = true
-  data_json                  = jsonencode(
-  {
-    zip       = "zap",
-    foo       = "bar"
-  }
+  mount               = vault_mount.kvv2.path
+  name                = "secret"
+  cas                 = 1
+  delete_all_versions = true
+  data_json_wo = jsonencode(
+    {
+      zip = "zap",
+      foo = "bar"
+    }
  )
+  data_json_wo_version = 1
  custom_metadata {
    max_versions = 5
    data = {
@ -73,15 +74,18 @@ The following arguments are supported:
 * `delete_all_versions` - (Optional) If set to true, permanently deletes all
  versions for the specified key.

-* `data_json` - (Required) JSON-encoded string that will be
-  written as the secret data at the given path.
+* `data_json` - (Optional) JSON-encoded string that will be
+  written as the secret data at the given path. This is required if `data_json_wo` is not set.
+
+* `data_json_wo` - (Optional) JSON-encoded string that will be
+  written as the secret data at the given path. This is required if `data_json` is not set. **Note**: This property is write-only and will not be read from the API.
+
+* `data_json_wo_version` - (Optional) The version of the `data_json_wo`. For more info see [updating write-only attributes](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/using_write_only_attributes.html#updating-write-only-attributes).

 * `custom_metadata` - (Optional) A nested block that allows configuring metadata for the
  KV secret. Refer to the
  [Configuration Options](#custom-metadata-configuration-options) for more info.

-* `data_json_wo_version` - (Optional) The version of the `data_json_wo`. For more info see [updating write-only attributes](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/using_write_only_attributes.html#updating-write-only-attributes).
-
 ## Required Vault Capabilities

 Use of this resource requires the `create` or `update` capability
@ -101,13 +105,6 @@ and the `read` capability for drift detection (by default).

 * `data` - (Optional) A string to string map describing the secret.

-## Ephemeral Attributes Reference
-
-The following write-only attributes are supported:
-
-* `data_json_wo` - (Optional) JSON-encoded secret data to write to Vault. Can be updated.
-  **Note**: This property is write-only and will not be read from the API.
-
 ## Attributes Reference

 The following attributes are exported in addition to the above: