Forced recreation because of encrypted values

faelau commented 1 week ago

If you create a object which values are stored in encrypted format, Terraform force to recreate the property because Terraform thinks it has changed:

awx_settings_oidc.authentik: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to awx_settings_oidc.authentik, provider "provider[\"registry.terraform.io/ilijamt/awx\"]" produced an unexpected new value: .social_auth_oidc_secret: was
│ cty.StringVal("abc123abc123abc123"), but now
│ cty.StringVal("$encrypted$").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Encrypted values should only be changed when the value changes in the manifest.

Other encrypted values (e.g. LDAP bind password) are also affected.

ilijamt commented 2 days ago

I'll have to check, most likely the value is sensitive, and you are unable to retrieve it unless you created it with terraform. I'll need to add an exception for this

kensog commented 1 day ago

Seeing this error in numerous places including in notification template, /api/v2/notification_templates/ returns "token": "$encrypted$" which seems to get into the state file so there is always a diff, the secret value is created in tf as well.

-/+ resource "awx_notification_template" "slack_notifications" {
      ~ id                         = 14 -> (known after apply)
        name                       = "slack notification"
      ~ notification_configuration = jsonencode(
          ~ {
              ~ token    = "$encrypted$" -> "secretpassowrdhere"
                # (1 unchanged attribute hidden)
            }
        )
        # (4 unchanged attributes hidden)
    }

ilijamt / terraform-provider-awx

Forced recreation because of encrypted values #117