SAP / terraform-provider-btp

Terraform provider for SAP BTP
https://registry.terraform.io/providers/SAP/btp/latest
Apache License 2.0
89 stars 18 forks source link

[BUG]refresh of btp_subaccount_api_credential resource during planning phase resets the secret to null. #949

Closed ptesny closed 1 week ago

ptesny commented 1 week ago

Is there an existing issue for this?

What version of the Terraform provider are you using?

1.8.0

What version of the Terraform CLI are you using?

1.9.3

What type of issue are you facing

bug report

Describe the bug

After an initial and successful creation of a btp_subaccount_api_credential resource the subsequent planning operation reset the value of the api_credential secret to null. This makes tf choke if the secret is used to compute the access token.

This is an unexpected behaviour and reported as such in the tf trace log

Expected Behavior

One should be able to create a single instance of the btp_subaccount_api_credential resource and be able to run the same tf configuration multiple times

Steps To Reproduce

Full GHA trace log https://github.com/quovadis-btp/btp-boosters/actions/runs/11756380729/job/32752461363

User's Role Collections

No response

Add screenshots to help explain your problem


2024-11-09T12:50:24.963Z [WARN]  Provider "registry.terraform.io/sap/btp" produced an unexpected new value for module.custom_idp.btp_subaccount_api_credential.quovadis-haa during refresh.
      - .client_secret: was cty.StringVal("btp-bootstrap-quovadis-***$CIJqSpsC8ujOSw8W8tjHk4LKk_miMvTEAt9Bwy4ZHiM="), but now null
      - .certificate_received: was null, but now cty.StringVal("")
2024-11-09T12:50:24.972Z [DEBUG] ReferenceTransformer: "module.custom_idp.data.http.api-credential-token" references: []
Error: -09T12:50:24.972Z [ERROR] vertex "module.custom_idp.data.http.api-credential-token" error: Invalid template interpolation value
Error: -09T12:50:24.972Z [ERROR] vertex "module.custom_idp.data.http.api-credential-token (expand)" error: Invalid template interpolation value

and then further on...

2024-11-09T12:50:39.418Z [WARN]  Planning encountered errors, so plan is not applyable

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.custom_idp.btp_subaccount_api_credential.quovadis-haa has changed
  ~ resource "btp_subaccount_api_credential" "quovadis-haa" {
      - client_secret        = "btp-bootstrap-quovadis-***$CIJqSpsC8ujOSw8W8tjHk4LKk_miMvTEAt9Bwy4ZHiM=" -> null
        name                 = "btp-bootstrap-quovadis-eafa589c"
        # (7 unchanged attributes hidden)
    }

Error: Invalid template interpolation value

  on .terraform/modules/custom_idp/btp-context/bootstrap-context/modules/custom-idp/bootstrap-custom-idp.tf line 196, in data "http" "api-credential-token":
 196:   request_body = "grant_type=client_credentials&client_id=${local.client_id}&client_secret=${local.client_secret}&response_type=token"
    ├────────────────
    │ local.client_secret is null

The expression result is null. Cannot include a null value in a string
template.

Additional context

Full GHA trace log https://github.com/quovadis-btp/btp-boosters/actions/runs/11756380729/job/32752461363

lechnerc77 commented 1 week ago

The repositories are private, so we are not ables to access the code especially of the module under investigation. The Terraform team would need access or you provide the code of the module's main.tf that uses the resource in this issue

ptesny commented 1 week ago

The module code is public https://github.com/quovadis-btp/btp-automation/blob/3e47ea9bbdce9cff28b7f1d168dfe84da92f5809/btp-context/bootstrap-context/modules/custom-idp/bootstrap-custom-idp.tf#L158

just mind the gap I have worked around the problem by instructing tf to recycle the resource at every plan/apply run

just remove the lifecycle section to reproduce the reported issue

diya-dhan commented 1 week ago
ptesny commented 1 week ago

thank you. Please make sure it works with both secrets and certificates