diff --git a/lib/puppet/type/ironic_neutron_agent_config.rb b/lib/puppet/type/ironic_neutron_agent_config.rb
index f9fe1a5cf..b24a53bd4 100644
--- a/lib/puppet/type/ironic_neutron_agent_config.rb
+++ b/lib/puppet/type/ironic_neutron_agent_config.rb
@@ -14,6 +14,30 @@ Puppet::Type.newtype(:ironic_neutron_agent_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
   newparam(:ensure_absent_val) do
diff --git a/manifests/agents/ml2/networking_baremetal.pp b/manifests/agents/ml2/networking_baremetal.pp
index 7a66bf4fc..08981ae39 100644
--- a/manifests/agents/ml2/networking_baremetal.pp
+++ b/manifests/agents/ml2/networking_baremetal.pp
@@ -148,7 +148,7 @@ class neutron::agents::ml2::networking_baremetal (
     'ironic/auth_type':           value => $auth_type;
     'ironic/auth_url':            value => $auth_url;
     'ironic/username':            value => $username;
-    'ironic/password':            value => $password;
+    'ironic/password':            value => $password, secret => true;
     'ironic/project_domain_name': value => $project_domain_name;
     'ironic/project_name':        value => $project_name;
     'ironic/user_domain_name':    value => $user_domain_name;
diff --git a/manifests/designate.pp b/manifests/designate.pp
index 8e62b29c6..6c77536f9 100644
--- a/manifests/designate.pp
+++ b/manifests/designate.pp
@@ -73,7 +73,7 @@ class neutron::designate (
 
   neutron_config {
     'DEFAULT/external_dns_driver':         value => 'designate';
-    'designate/password':                  value => $password;
+    'designate/password':                  value => $password, secret => true;
     'designate/url':                       value => $url;
     'designate/auth_type':                 value => $auth_type;
     'designate/username':                  value => $username;
diff --git a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
index 0438bda17..1393bc5dd 100644
--- a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
+++ b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
@@ -44,7 +44,7 @@ describe 'neutron::agents::ml2::networking_baremetal' do
       should contain_ironic_neutron_agent_config('ironic/auth_type').with_value(p[:auth_type])
       should contain_ironic_neutron_agent_config('ironic/auth_url').with_value(p[:auth_url])
       should contain_ironic_neutron_agent_config('ironic/username').with_value(p[:username])
-      should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password])
+      should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]).with_secret(true)
       should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value(p[:project_domain_name])
       should contain_ironic_neutron_agent_config('ironic/project_name').with_value(p[:project_name])
       should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name])
diff --git a/spec/classes/neutron_designate_spec.rb b/spec/classes/neutron_designate_spec.rb
index 9e726720a..8c1bcdb7d 100644
--- a/spec/classes/neutron_designate_spec.rb
+++ b/spec/classes/neutron_designate_spec.rb
@@ -15,7 +15,7 @@ describe 'neutron::designate' do
       it 'configures designate in neutron.conf' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
-        should contain_neutron_config('designate/password').with_value('secret')
+        should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
         should contain_neutron_config('designate/username').with_value('neutron')
         should contain_neutron_config('designate/auth_type').with_value('password')
         should contain_neutron_config('designate/project_name').with_value('services')
@@ -42,7 +42,7 @@ describe 'neutron::designate' do
       it 'configures designate in neutron.conf' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
-        should contain_neutron_config('designate/password').with_value('secret')
+        should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
         should contain_neutron_config('designate/username').with_value('user')
         should contain_neutron_config('designate/auth_type').with_value('token')
         should contain_neutron_config('designate/project_id').with_value('id1')