Open F21 opened 3 weeks ago
Terraform debug log detected :white_check_mark:
Voting for Prioritization
Volunteering to Work on This Issue
We're also experiencing this problem, and see the same problematic log (also when building the provider from master today):
.config[0].client_secret: planned value cty.StringVal("**********************************") does not match config value cty.StringVal("1234567890") nor prior value cty.StringVal("")
What's interesting is that we didn't see this 3 days ago, running the same version, so I suspect there might have been some API change that triggered this.
Changing the StateFunc
for the client_secret
schema to simply return ""
fixes this issue, but recreates an issue we experienced last week where changing the input to the client_secret
field didn't trigger an update to the resource or upstream configuration.
Reading the linked PR above, that seems to have been closed, saying that it's actually fixed in the upcoming 4.47 (via https://github.com/cloudflare/terraform-provider-cloudflare/pull/4419/). So does that mean this issue is resolved in 4.47? Additionally, I'm getting the same issue not just with the identity provider secret, but with cloudflared tunnel secrets and device posture integrations secrets. Should I add logs here, or file a separate issue, or would the above fix cover those too? (I don't think so, from looking at the PR though; it seems to be specific to the id provider?)
Confirmation
Terraform and Cloudflare provider version
Terraform v1.9.8 on linux_amd64
Affected resource(s)
cloudflare_zero_trust_access_identity_provider
Terraform configuration files
Link to debug output
https://gist.github.com/F21/25df3576a43e4f48c548879da9ba493f
Panic output
No response
Expected output
The
cloudflare_zero_trust_access_identity_provider.config.client_secret
should not be updated when the secret has not changed.Actual output
Terraform attempts to update
cloudflare_zero_trust_access_identity_provider.config.client_secret
even when theclient_secret
has not changed.Steps to reproduce
terraform apply
and accept.terraform apply
orterraform plan
and see that it tries to updatecloudflare_zero_trust_access_identity_provider.config.client_secret
even when the secret is the same.Additional factoids
This is because the
client_secret
is stored asCONCEALED_STRING
in the state. Therefore, unless theclient_secret
is literallyCONCEALED_STRING
, terraform will always thing it has changed.References
No response