Open jackyou84 opened 1 year ago
Hi team, Could you please have a check?
is it because data depend on ibm_database.postgresql[each.key].id which just get result during apply?
@jackyou84 this appears to be an issue with your terraform configuration and the aws_secretsmanager_secret_version
resource, not with the ibm_database
resource or ibm_database_connection
data source.
Terraform CLI and Terraform IBM Provider Version
terraform 1.3.1 IBM-Cloud/ibm 1.43
Affected Resource(s)
Terraform Configuration Files
in my postgres module: pg_module.tf resource "ibm_database" "postgresql" {
any attribute for database creation
} data "ibm_database_connection" "postgresql_admin_connections" { for_each = local.pg_instances endpoint_type = "private" deployment_id = ibm_database.postgresql[each.key].id user_id = ibm_database.postgresql[each.key].adminuser user_type = "database" } resource "aws_secretsmanager_secret" "postgresql_admin_passwords" { for_each = local.pg_instances name = ""
recovery_window_in_days = 0
}
resource "aws_secretsmanager_secret_version" "postgresql_admin_passwords" {
for_each = local.pg_instances
secret_id = aws_secretsmanager_secret.postgresql_admin_passwords[each.key].id
secret_string = jsonencode({
password = random_password.postgresql[each.key].result
server_ca_cert = data.ibm_database_connection.postgresql_admin_connections[each.key].postgres[0].certificate[0].certificate_base64
})
}
resource "random_password" "postgresql" {
for_each = local.pg_instances
length = 16
special = false
}
run terraform plan
Expected Behavior
just report change I make change in code. and no other password force-replacement as I have no change it.
Actual Behavior
show a lot of date resource for each pg instance.
module.stack.data.ibm_database_connection.postgresql_admin_connections[""] will be read during apply
(depends on a resource or a module with changes pending)
<= data "ibm_database_connection" "postgresql_admin_connections" { ... ... ...
module.stack.aws_secretsmanager_secret_version.postgresql_admin_passwords[""] must be replaced
-/+ resource "aws_secretsmanager_secret_version" "postgresql_admin_passwords" { ~ arn = "arn:..." -> (known after apply) ~ id = "arn..." -> (known after apply)
(1 unchanged attribute hidden)
} ... ... ...
Steps to Reproduce
just change module any place code and terraform plan. there will be a lot of data resource and force-replacement. and I am sure password and server_ca_cert are not changed before plan as I know, if data block includes depens_on, it will be read during apply. but for data.bm_database_connection.postgresql_admin_connections has no depends_on . so it is more confusion.