IssueTracker

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

What you would like to accomplish:
I would like to be able to deploy secret fields with deployment manager without those fields appearing in the deployment manifest.  
For example, creating a user on a CloudSql instance (sqladmin.v1beta4.user) allows setting of a password which currently only supports plain-text format.  It would be nice to be able to deploy this password as a KMS encrypted Base64 encoded string to allow the deployment manager code to be safely stored in source control.

How this might work:

One option is in a similar way to CloudBuild: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials allowing secret metadata variables that will be decrypted at deploy time.

If applicable, reasons why alternative solutions are not sufficient:
There are workarounds (e.g. triggering a cloud build to manage secrets within a deployment, calling a KMS type to decrypt) but these have drawbacks (overhead of builds within a deployment process, visible passwords in deployment manifest)

Other information (workarounds you have tried, documentation consulted, etc):
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/issues/127
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudkms-v1/kms.jinja