[BUG]refresh of btp_subaccount_api_credential resource during planning phase resets the secret to null.

[ptesny]

Is there an existing issue for this?

• [X] I have searched the existing issues

What version of the Terraform provider are you using?

1.8.0

What version of the Terraform CLI are you using?

1.9.3

What type of issue are you facing

bug report

Describe the bug

After an initial and successful creation of a btp_subaccount_api_credential resource the subsequent planning operation reset the value of the api_credential secret to null. This makes tf choke if the secret is used to compute the access token.

This is an unexpected behaviour and reported as such in the tf trace log

Expected Behavior

One should be able to create a single instance of the btp_subaccount_api_credential resource and be able to run the same tf configuration multiple times

Steps To Reproduce

Full GHA trace log https://github.com/quovadis-btp/btp-boosters/actions/runs/11756380729/job/32752461363

User's Role Collections

No response

Add screenshots to help explain your problem

2024-11-09T12:50:24.963Z [WARN]  Provider "registry.terraform.io/sap/btp" produced an unexpected new value for module.custom_idp.btp_subaccount_api_credential.quovadis-haa during refresh.
      - .client_secret: was cty.StringVal("btp-bootstrap-quovadis-***$CIJqSpsC8ujOSw8W8tjHk4LKk_miMvTEAt9Bwy4ZHiM="), but now null
      - .certificate_received: was null, but now cty.StringVal("")
2024-11-09T12:50:24.972Z [DEBUG] ReferenceTransformer: "module.custom_idp.data.http.api-credential-token" references: []
Error: -09T12:50:24.972Z [ERROR] vertex "module.custom_idp.data.http.api-credential-token" error: Invalid template interpolation value
Error: -09T12:50:24.972Z [ERROR] vertex "module.custom_idp.data.http.api-credential-token (expand)" error: Invalid template interpolation value

and then further on...

2024-11-09T12:50:39.418Z [WARN]  Planning encountered errors, so plan is not applyable

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.custom_idp.btp_subaccount_api_credential.quovadis-haa has changed
  ~ resource "btp_subaccount_api_credential" "quovadis-haa" {
      - client_secret        = "btp-bootstrap-quovadis-***$CIJqSpsC8ujOSw8W8tjHk4LKk_miMvTEAt9Bwy4ZHiM=" -> null
        name                 = "btp-bootstrap-quovadis-eafa589c"
        # (7 unchanged attributes hidden)
    }

Error: Invalid template interpolation value

  on .terraform/modules/custom_idp/btp-context/bootstrap-context/modules/custom-idp/bootstrap-custom-idp.tf line 196, in data "http" "api-credential-token":
 196:   request_body = "grant_type=client_credentials&client_id=${local.client_id}&client_secret=${local.client_secret}&response_type=token"
    ├────────────────
    │ local.client_secret is null

The expression result is null. Cannot include a null value in a string
template.

Additional context

Full GHA trace log https://github.com/quovadis-btp/btp-boosters/actions/runs/11756380729/job/32752461363

[lechnerc77]

The repositories are private, so we are not ables to access the code especially of the module under investigation. The Terraform team would need access or you provide the code of the module's main.tf that uses the resource in this issue

[ptesny]

The module code is public https://github.com/quovadis-btp/btp-automation/blob/3e47ea9bbdce9cff28b7f1d168dfe84da92f5809/btp-context/bootstrap-context/modules/custom-idp/bootstrap-custom-idp.tf#L158

just mind the gap I have worked around the problem by instructing tf to recycle the resource at every plan/apply run

just remove the lifecycle section to reproduce the reported issue

[diya-dhan]

• Error can be reproduced
• The resources btp_directory_api_credential and btp_globalaccount_api_credential also have the same issue
• The BTP CLI command btp get security/api-credential does not return the secret of the created api-credential
• Fix has to be made in the Read function of each of the resources

[ptesny]

thank you. Please make sure it works with both secrets and certificates