Open matthewbarreiro opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
I'm experiencing exactly this issue. Definitely needs looking into. Thanks.
While the API for DescribeDirectories includes a SharedSecret attribute, in practice it appears AWS returns an empty string for this value. This makes drift detection impossible. So in the short term, I think you have to just use the lifecycle block to ignore it, or put up with the constant refreshing.
What would be the preferred solution from the perspective of the provider coders? I am thinking the API could return a salted hash of the current value or something similar that would allow comparison w/o directly returning the value in the API.
Terraform Core Version
1.3.6
AWS Provider Version
4.58.0
Affected Resource(s)
Expected Behavior
Terraform should only update the resources provisioned by
aws_directory_service_radius_settings
if theshared_secret
value actually changes.Actual Behavior
Terraform updates the resources provisioned by
aws_directory_service_radius_settings
on eachterraform apply
. Not only does this unnecessarily increase the apply time by 1-2 minutes, but it may also lead to race conditions. E.g. when trying to deploy a workspace immediately after the RADIUS settings update, I receive an error that the directory is unavailable.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Note I am including my exact configuration, however the same behavior was tested to work with a sensitive variable for shared_secret, and presumably would then occur with all other values being defined directly.
Steps to Reproduce
aws_directory_service_directory
connector resourceaws_directory_service_radius_settings
sensitive = true
Debug Output
No response
Panic Output
No response
Important Factoids
I am able to work around this by adding a lifecycle to the resource, however this will prevent me from actually updating the secret (without first removing the lifecycle)
References
No response
Would you like to implement a fix?
No