cloudflare / terraform-provider-cloudflare

Cloudflare Terraform Provider
https://registry.terraform.io/providers/cloudflare/cloudflare
Mozilla Public License 2.0
786 stars 609 forks source link

`cloudflare_zero_trust_access_identity_provider` keeps trying to update `config.client_secret` when there are no changes #4497

Open F21 opened 1 week ago

F21 commented 1 week ago

Confirmation

Terraform and Cloudflare provider version

Terraform v1.9.8 on linux_amd64

Affected resource(s)

cloudflare_zero_trust_access_identity_provider

Terraform configuration files

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.45"
    }
  }
  required_version = "~> 1.9"
}

provider "cloudflare" {
  api_token = "REDACTED"
}

resource "cloudflare_zero_trust_access_identity_provider" "test" {
  account_id = "REDACTED"
  name       = "TEST"
  type       = "azureAD"

  config {
    client_id      = "123456"
    client_secret  = "123456"
    directory_id   = "123456"
  }
}

Link to debug output

https://gist.github.com/F21/25df3576a43e4f48c548879da9ba493f

Panic output

No response

Expected output

The cloudflare_zero_trust_access_identity_provider.config.client_secret should not be updated when the secret has not changed.

Actual output

Terraform attempts to update cloudflare_zero_trust_access_identity_provider.config.client_secret even when the client_secret has not changed.

Steps to reproduce

  1. Run terraform apply and accept.
  2. Run terraform apply or terraform plan and see that it tries to update cloudflare_zero_trust_access_identity_provider.config.client_secret even when the secret is the same.

Additional factoids

This is because the client_secret is stored as CONCEALED_STRING in the state. Therefore, unless the client_secret is literally CONCEALED_STRING, terraform will always thing it has changed.

References

No response

github-actions[bot] commented 1 week ago

Terraform debug log detected :white_check_mark:

github-actions[bot] commented 1 week ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

JonasBak commented 1 week ago

We're also experiencing this problem, and see the same problematic log (also when building the provider from master today):

.config[0].client_secret: planned value cty.StringVal("**********************************") does not match config value cty.StringVal("1234567890") nor prior value cty.StringVal("")

Relevant code: https://github.com/cloudflare/terraform-provider-cloudflare/blob/86cd8749ed6948889800a691dc7d038868c36a7c/internal/sdkv2provider/schema_cloudflare_access_identity_provider.go#L92

What's interesting is that we didn't see this 3 days ago, running the same version, so I suspect there might have been some API change that triggered this.

Changing the StateFunc for the client_secret schema to simply return "" fixes this issue, but recreates an issue we experienced last week where changing the input to the client_secret field didn't trigger an update to the resource or upstream configuration.