Creating secure note object fails due to required password field

[dannysauer]

Your environment

Terraform Provider Version: v2.0.0

Connect Server Version: 1.7.2

CLI Version: 2.30.0

OS: Pop!_OS 22.04 LTS

Terraform Version:

Terraform v1.9.4
on linux_amd64
+ provider registry.terraform.io/1password/onepassword v2.0.0
+ provider registry.terraform.io/barnabyshearer/dockerhub v0.0.15
+ provider registry.terraform.io/hashicorp/google v5.40.0

What happened?

Attempting to create a secure note generated this error message:

│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for
│ onepassword_item.devtokens.password. All values must be known after apply, so
│ this is always a bug in the provider and should be reported in the provider's
│ own repository. Terraform will still save the other known object values in
│ the state.

Then when I added a password field, I got a second error:

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to onepassword_item.devtokens, provider
│ "provider[\"registry.terraform.io/1password/onepassword\"]" produced an
│ unexpected new value: .section[0].field[0].type: was cty.StringVal("string"),
│ but now cty.StringVal("STRING").
│ 
│ This is a bug in the provider, which should be reported in the provider's own
│ issue tracker.

What did you expect to happen?

I expected a secure note to be created without a password field, and I expected the provider to either internally translate the case of the type or to use an enum to validate acceptable type values.

I also sort of expected the "required" password field to appear in the created item, but there is no password field after it's created. I'm ok with that, though. ;)

Steps to reproduce

1. Try to create a secure_note item without a password field
2. Observe error
3. Add a placeholder password field
4. Observe that "type = string" in the field is a new error
5. upper-case the type to STRING
6. Observe that the created resource does not have a password field even though the provider insists that field is required

resource "onepassword_item" "devtokens" {
  vault = var.op_automation_vault

  title    = "developer tokens"
  category = "secure_note"
  section {
    label = "dev_tokens"
    field {
      label = "a field"
      type  = "string"
      value = "a value"
    }
  }
}

Notes & Logs

I suppose this is technically two separate bugs.

[edif2008]

Hey @dannysauer! 👋🏻

What you might be experiencing when it comes to the provider saying the password being required is the bug at #173. This has been solved in the version 2.1.0, which is also the latest version of the provider.

As for the second element that you've identified, that is indeed a bug. A quick mitigation for it is, as you've mentioned, changing the type to STRING. Thank you for catching this. 😄

[dannysauer]

Oh, that's awesome! Sounds like I have a bug in the Renovate config which is supposed to be updating the 1password provider in my Terraform. :D

[dannysauer]

Confirmed that deleting the item and recreating without a password field works for me with the new provider. Though, I ran into #97 in the process, so had to delete the item from the state before recreating. ;)

Thanks, @edif2008. Should I open a new bug for the case sensitivity thing, or retitle this one?

[edif2008]

To keep it clean and clear, I would recommend opening a new issue, since this one started off as not being able to create a Secure Note item without a password and in the process the additional bug was found.

Once you make that new issue, I will close this one.

Thank you again for your great cooperation and providing valuable feedback to further improve the Terraform provider. 😄