make password file resource sensitive

recipes/sasl_auth.rb

@@ -49,6 +49,7 @@ execute 'postmap-sasl_passwd' do
 end
 
 template node['postfix']['sasl_password_file'] do
+  sensitive true
   source 'sasl_passwd.erb'
   owner 'root'
   group node['root_group']

spec/sasl_auth_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'postfix::sasl_auth' do
+  let(:password_file) { '/etc/postfix/sasl_passwd' }
+
+  let(:chef_run) do
+    ChefSpec::Runner.new do |node|
+      node.default['postfix']['sasl_password_file'] = password_file
+    end.converge(described_recipe)
+  end
+
+  describe 'password file template' do
+    it 'does not display sensitive information' do
+      expect(chef_run).to create_template(password_file).with(sensitive: true)
+    end
+  end
+end