search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
458 stars 538 forks source link

[Bug]: no drift detection for `connection_url` in resource `database_secret_backend_connection` #2081

Open ghthor opened 10 months ago

ghthor commented 10 months ago

Terraform Core Version

1.6.3

Terraform Vault Provider Version

3.22.0

Vault Server Version

1.11.4

Affected Resource(s)

Expected Behavior

If the connection_url is changed outside of terraform then terraform plan should detect this drift and show an update in place of the resource.

Actual Behavior

terraform plan does NOT show an update as it only compares the connection_url to what already exists within the state, not with the value from the read from vault in the upstream resource.

https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Please see the contents of this repository for a reproducible example environment complete with Vault/Postgres and the terraform configuration files.

https://github.com/ghthor/terraform-provider-vault-bugs/blob/main/database-backend-connection_url-drift-detection/main.tf

Steps to Reproduce

  1. create a vault_database_secret_backend_connection using terraform
  2. modify the connection_url out of band from terraform
  3. run terraform plan and notice no changes planned for the connection_url
  4. remove the resource from the terraform state with terraform state rm and then import it
  5. run terraform plan and notice that the connection_url doesn't match what was is declared in the configuration

For a complete reproducible testing environment please see the following repository

https://github.com/ghthor/terraform-provider-vault-bugs/tree/main/database-backend-connection_url-drift-detection

Debug Output

No response

Panic Output

No response

Important Factoids

I believe this is directly caused by the following line in the provider that is checking if the current state has a connection_url and if it does then ignores the upstream response from vault.

https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006

    if v, ok := d.GetOk(prefix + "connection_url"); ok {
        result["connection_url"] = v.(string)
    } else {
        if v, ok := data["connection_url"]; ok {
            result["connection_url"] = v.(string)
        }
    }

References

No response

Would you like to implement a fix?

Yes