search

confluentinc / terraform-provider-confluent

Terraform Provider for Confluent
Apache License 2.0
118 stars 61 forks source link

apply after confluent_schema import results in a nochange update #303

Open Noel-Jones opened 10 months ago

Noel-Jones commented 10 months ago

Consider the following sequence of actions on a simple confluent_schema:

Apply => schema created Apply => no change (as expected) Terraform state rm => state is deleted Import => state is imported Apply => change will be performed (see below) Apply => no change (as expected)

This sequence is "prove" there is an issue. In real life I simply want to import the existing schema so that I can start to manage an existing production system with Terraform. I don't want Terraform making an unexplained change to the schema.

I'll briefly refer to issue #293 where I have determined that it is not necessary to set SCHEMA_CONTENT for an import and by not doing so the import will read the schema from the registry. Therefore after perfroming the import the apply should make no change.

Some more detail:

This is the terraform resource:

resource "confluent_schema" "avro-noeltest" {
  schema_registry_cluster {
    id = data.confluent_schema_registry_cluster.cluster_0.id
  }
  rest_endpoint = data.confluent_schema_registry_cluster.cluster_0.rest_endpoint
  credentials {
    key    = data.azurerm_key_vault_secret.env_schema_cluster_0_key.value
    secret = data.azurerm_key_vault_secret.env_schema_cluster_0_secret.value
  }
  subject_name       = "noeltest-value"
  format             = "AVRO"
  schema             = file("./noeltest.txt")
  recreate_on_update = false
}

And the schema file (though this should have no bearing on it).

{
    "name": "NoelTest",
    "namespace": "noeltest.avro",
    "type": "record",
    "fields": [
        {
            "name": "field1",
            "type": "string"
        }
    ]
}

After the import the apply says that a change will be made but there are no changed attributes or blocks. So what is is changing?

Terraform will perform the following actions:

  # confluent_schema.avro-noeltest will be updated in-place
  ~ resource "confluent_schema" "avro-noeltest" {
        id                 = "lsrc-xxxxx/noeltest-value/latest"
        # (8 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform state show yields an identical state before and after the apply.

Terraform v1.5.5 on linux_amd64

Noel-Jones commented 10 months ago

Final bit of digging for today. Comparing the raw state files, the difference in state before and after the unwanted apply is

<   "serial": 15,
---
>   "serial": 17,
195,196c195,238
<           "sensitive_attributes": [],
---
>           "sensitive_attributes": [
>             [
>               {
>                 "type": "get_attr",
>                 "value": "credentials"
>               },
>               {
>                 "type": "index",
>                 "value": {
>                   "value": 0,
>                   "type": "number"
>                 }
>               },
>               {
>                 "type": "get_attr",
>                 "value": "key"
>               }
>             ],
>             [
>               {
>                 "type": "get_attr",
>                 "value": "credentials"
>               },
>               {
>                 "type": "index",
>                 "value": {
>                   "value": 0,
>                   "type": "number"
>                 }
>               },
>               {
>                 "type": "get_attr",
>                 "value": "secret"
>               }
>             ]
>           ],
>           "dependencies": [
>             "data.azurerm_key_vault_secret.confluent_cloud_api_key",
>             "data.azurerm_key_vault_secret.confluent_cloud_api_secret",
>             "data.azurerm_key_vault_secret.env_schema_cluster_0_key",
>             "data.azurerm_key_vault_secret.env_schema_cluster_0_secret",
>             "data.confluent_schema_registry_cluster.cluster_0"
>           ]

It would appear to be either the sensitive_attributes or dependencies not being set by the import that is causing this.

I'd expected it to be line endings or spaces in the schema but this does not appear to be the case.

Noel-Jones commented 10 months ago

I can now confirm that after editing the state file, it is the missing sensitive attributes in the state file that is causing this issue.