[Bug] Integrations using secrets show as requiring changes even when no changes have been made

[renzedj]

Describe the bug Integrations which use secrets require changes after every plan, even with no changes.

To Reproduce Steps to reproduce the behavior:

1. Create an integration, which uses secrets (e.g., ActiveMQ, as used here).
2. Apply the integration to the stack: terraform plan -out=tfplan && terraform apply tfplan
3. Generate a new plan: terraform plan -out=tfplan
4. Review tfplan in json format: terraform show -json tfplan > tfplan.json
5. Compare the before and after fields. These are the diffs from my ActiveMQ example, which are sufficient to force an update:

# Before
"vars_json": "{\"hosts\":[\"localhost:8161\"],\"password\":{\"id\":\"4WWQ2JEBUqgeJBt67-fI\",\"isSecretRef\":true},\"path\":\"/api/jolokia/?ignoreErrors=true\\u0026canonicalNaming=false\",\"ssl\":\"headers:\\n  Origin: 'http://localhost'\\n\",\"username\":\"admin\"}"

# After
"vars_json": "{\"hosts\":[\"localhost:8161\"],\"password\":\"changeme\",\"path\":\"/api/jolokia/?ignoreErrors=true\\u0026canonicalNaming=false\",\"ssl\":\"headers:\\n  Origin: 'http://localhost'\\n\",\"username\":\"admin\"}"

Note: During the plan, a secret reference is returned as current state, but a key-value pair for password with a string value is created for the update, which triggers the update.

Expected behavior Password has not changed, so no update should occur.

Versions (please complete the following information):

• OS: Elastic Cloud
• Terraform Version: 1.9.5
• Provider version: 0.11.6
• Elasticsearch Version: 8.15.0

[renzedj]

This appears to be related to a Fleet enhancement request that I submitted awhile back.

[tobio]

@renzedj thanks for the report. I'm closing this as a duplicate of https://github.com/elastic/terraform-provider-elasticstack/issues/689.