Moving dedicated[0].encryption_key to byok_key[0].id does not work as expected

[Ad4m0]

After successfully replacing dedicated[0].encryption_key with byok_key[0].id with version 1.79.0 as described here, Terraform still wants to change the cluster configuration, although nothing has changed in the cluster configuration.

Having dedicated[0].encryption_key and byok_key[0].id specified at the same time leads to a deprecation warning, but Terraform detects no changes.

Could you please take a look at this?

Here is an example from Terraform of the change detected:

Terraform will perform the following actions:
  # confluent_kafka_cluster.my_dedicated_cluster will be updated in-place
  ~ resource "confluent_kafka_cluster" "my_dedicated_cluster" {
        id                 = "lkc-abc123"
        # (9 unchanged attributes hidden)
      ~ dedicated {
          - encryption_key = "arn:aws:kms:my-key" -> null
            # (2 unchanged attributes hidden)
        }
        # (3 unchanged blocks hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

[linouk23]

@Ad4m0 thanks for creating the issue!

That's a great call-out! We'll update our documentation since it's currently a bit unclear.

The idea is an in-place update for the existing clusters by removing "encryption_key" from the code and adding the block "byok_key" (that refers to a "confluent_byok_key" resource) is not supported and eventually we'd like users to either

1. Remove the encryption_key attribute from the confluent_kafka_cluster resource. Users won't have to recreate the cluster, but the confluent_kafka_cluster resource definition might look a bit misleading, as there will be no references to encryption_key / byok_key.
2. Recreate a cluster if they want to reference "confluent_byok_key" 😕 (see https://github.com/confluentinc/terraform-provider-confluent/issues/398 for more context).