If the connection_url is changed outside of terraform then terraform plan should detect this drift and show an update in place of the resource.
Actual Behavior
terraform plan does NOT show an update as it only compares the connection_url to what already exists within the state, not with the value from the read from vault in the upstream resource.
I believe this is directly caused by the following line in the provider that is checking if the current state has a connection_url and if it does then ignores the upstream response from vault.
if v, ok := d.GetOk(prefix + "connection_url"); ok {
result["connection_url"] = v.(string)
} else {
if v, ok := data["connection_url"]; ok {
result["connection_url"] = v.(string)
}
}
Terraform Core Version
1.6.3
Terraform Vault Provider Version
3.22.0
Vault Server Version
1.11.4
Affected Resource(s)
Expected Behavior
If the
connection_url
is changed outside of terraform thenterraform plan
should detect this drift and show an update in place of the resource.Actual Behavior
terraform plan
does NOT show an update as it only compares theconnection_url
to what already exists within the state, not with the value from the read from vault in the upstream resource.https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Please see the contents of this repository for a reproducible example environment complete with Vault/Postgres and the terraform configuration files.
https://github.com/ghthor/terraform-provider-vault-bugs/blob/main/database-backend-connection_url-drift-detection/main.tf
Steps to Reproduce
vault_database_secret_backend_connection
using terraformconnection_url
out of band from terraformterraform plan
and notice no changes planned for theconnection_url
terraform state rm
and then import itterraform plan
and notice that theconnection_url
doesn't match what was is declared in the configurationFor a complete reproducible testing environment please see the following repository
https://github.com/ghthor/terraform-provider-vault-bugs/tree/main/database-backend-connection_url-drift-detection
Debug Output
No response
Panic Output
No response
Important Factoids
I believe this is directly caused by the following line in the provider that is checking if the current state has a
connection_url
and if it does then ignores the upstream response from vault.https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006
References
No response
Would you like to implement a fix?
Yes