search

fivetran / terraform-provider-fivetran

Terraform Provider for Fivetran
https://fivetran.com
Apache License 2.0
41 stars 22 forks source link

Configuring ssh tunnel public key in the connector resource produces an unexpected new value and exits with error #308

Closed miagao closed 1 month ago

miagao commented 1 month ago

Describe the bug Terraform apply fails with exit > 0 when configuring the tunnel public key for the ssh tunnel in the fivetran_connector resource.

To Reproduce

resource "fivetran_connector" "connector_resource" {
  for_each = {
    for index, connector in local.connectors.postgres :
    data.fivetran_connector.connector[connector.connector_id].name => connector
  }
  group_id = data.fivetran_group.group.id
  service  = each.value.service
  destination_schema {
    prefix = contains(["postgres_rds", "mysql_rds"], each.value.service) ? data.fivetran_connector.connector[each.value.connector_id].name : null
    name   = contains(["postgres_rds", "mysql_rds"], each.value.service) ? null : data.fivetran_connector.connector[each.value.connector_id].name
  }
  config {
    host             = each.value.config.host
    port             = each.value.config.port
    database         = each.value.config.database
    user             = each.value.config.user
    password         = each.value.config.password
    tunnel_host      = each.value.config.tunnel_host
    tunnel_port      = each.value.config.tunnel_port
    tunnel_user      = each.value.config.tunnel_user
    public_key       = each.value.config.public_key
    always_encrypted = each.value.config.always_encrypted
    connection_type  = each.value.config.connection_type
    update_method    = each.value.config.update_method
    replication_slot = each.value.config.replication_slot
    publication_name = each.value.config.publication_name
  }

}

Expected behavior To pass and apply the public ssh key to the tunnel.

Logs & Output

Error: Provider produced inconsistent result after apply

When applying changes to
module.fivetran.fivetran_connector.connector_resource["raw_nebula_content"],
provider
"module.fivetran.provider[\"registry.terraform.io/fivetran/fivetran\"]"
produced an unexpected new value: .config.public_key: inconsistent values for
sensitive attribute.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.
Error: Terraform exited with code 1.

Plugin version: provider "registry.terraform.io/fivetran/fivetran" { version = "1.1.22" }

Additional context To avoid errors during the deployment pipeline, in terraform apply, I ignored the changes in the public key with the below configuration, but I am likely to lose when the public key changes. 

  lifecycle {
    ignore_changes = [config.public_key]
  }
beevital commented 1 month ago

@miagao the public_key field is readonly - you can't specify it in configuration for postgres connector. The problem is caused by the fact that API returns value that differs from the value you've specified. Please check our docs for postgres_rds https://fivetran.com/docs/rest-api/connectors/config#postgresql And for mysql_rds https://fivetran.com/docs/rest-api/connectors/config#mysql

And here are setup guide for SSH tunnel: https://fivetran.com/docs/connectors/databases/connection-options#sshtunnel You need to get the value that API returns in this field and add it to authorized_keys on your side.

beevital commented 1 month ago

Also we have special datasource that allows you to retrieve the SSH public_key value for the specific group (destination): https://registry.terraform.io/providers/fivetran/fivetran/latest/docs/data-sources/group_ssh_key

miagao commented 1 month ago

@miagao the public_key field is readonly - you can't specify it in configuration for postgres connector. The problem is caused by the fact that API returns value that differs from the value you've specified. Please check our docs for postgres_rds https://fivetran.com/docs/rest-api/connectors/config#postgresql And for mysql_rds https://fivetran.com/docs/rest-api/connectors/config#mysql

And here are setup guide for SSH tunnel: https://fivetran.com/docs/connectors/databases/connection-options#sshtunnel You need to get the value that API returns in this field and add it to authorized_keys on your side.

Thanks, In that case I'll open another one to make this transparent to the user. The config.public_key key should be read only too . At least the error message should reflect this. Also the documentation does not say it is read only, leading me to believe I could change this sometime in the future. Ideally the attempt to change this should be caught during the plan phase, not in the apply.

miagao commented 1 month ago

this should not be allowed:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.fivetran.fivetran_connector.connector_resource["raw_nebula_content"] will be updated in-place
  ~ resource "fivetran_connector" "connector_resource" {
        id           = "XXX"
        name         = "YYY"
        # (4 unchanged attributes hidden)

      ~ config {
          # Warning: this attribute value will no longer be marked as sensitive
          # after applying this change. The value is unchanged.
          ~ public_key       = (sensitive value)
            # (13 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

Because then during the apply phase it will fail with an inconsistency, as noted below :

Error: Provider produced inconsistent result after apply

When applying changes to
module.fivetran.fivetran_connector.connector_resource["raw_nebula_content"],
provider
"module.fivetran.provider[\"registry.terraform.io/fivetran/fivetran\"]"
produced an unexpected new value: .config.public_key: inconsistent values for
sensitive attribute.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.
Error: Terraform exited with code 1.