ibm_database_connection data resource cause aws_secretsmanager_secret_version force-replacement during plan phase

[jackyou84]

Terraform CLI and Terraform IBM Provider Version

terraform 1.3.1 IBM-Cloud/ibm 1.43

Affected Resource(s)

• ibm_database_connection
• aws_secretsmanager_secret_version

Terraform Configuration Files

in my postgres module: pg_module.tf resource "ibm_database" "postgresql" {

any attribute for database creation

} data "ibm_database_connection" "postgresql_admin_connections" { for_each = local.pg_instances endpoint_type = "private" deployment_id = ibm_database.postgresql[each.key].id user_id = ibm_database.postgresql[each.key].adminuser user_type = "database" } resource "aws_secretsmanager_secret" "postgresql_admin_passwords" { for_each = local.pg_instances name = "" recovery_window_in_days = 0 } resource "aws_secretsmanager_secret_version" "postgresql_admin_passwords" { for_each = local.pg_instances secret_id = aws_secretsmanager_secret.postgresql_admin_passwords[each.key].id secret_string = jsonencode({ password = random_password.postgresql[each.key].result server_ca_cert = data.ibm_database_connection.postgresql_admin_connections[each.key].postgres[0].certificate[0].certificate_base64 }) } resource "random_password" "postgresql" { for_each = local.pg_instances length = 16 special = false }

run terraform plan

Expected Behavior

just report change I make change in code. and no other password force-replacement as I have no change it.

Actual Behavior

show a lot of date resource for each pg instance.

module.stack.data.ibm_database_connection.postgresql_admin_connections[""] will be read during apply

(depends on a resource or a module with changes pending)

<= data "ibm_database_connection" "postgresql_admin_connections" { ... ... ...

module.stack.aws_secretsmanager_secret_version.postgresql_admin_passwords[""] must be replaced

-/+ resource "aws_secretsmanager_secret_version" "postgresql_admin_passwords" { ~ arn = "arn:..." -> (known after apply) ~ id = "arn..." -> (known after apply)

• secret_binary = (sensitive value) ~ secret_string = (sensitive value) # forces replacement ~ version_id = "E42A3974-DF45-41EF-BD1C-F46177EDB2A9" -> (known after apply) ~ version_stages = [
  • "AWSCURRENT", ] -> (known after apply)

    (1 unchanged attribute hidden)

    } ... ... ...

Steps to Reproduce

just change module any place code and terraform plan. there will be a lot of data resource and force-replacement. and I am sure password and server_ca_cert are not changed before plan as I know, if data block includes depens_on, it will be read during apply. but for data.bm_database_connection.postgresql_admin_connections has no depends_on . so it is more confusion.

[jackyou84]

Hi team, Could you please have a check?
is it because data depend on ibm_database.postgresql[each.key].id which just get result during apply?

[alexhemard]

@jackyou84 this appears to be an issue with your terraform configuration and the aws_secretsmanager_secret_version resource, not with the ibm_database resource or ibm_database_connection data source.