oci_vault_secret does not work for update in place operation

[adil-jeel]

Terraform Version and Provider Version

Terraform v1.5.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/oracle/oci v5.3.0

Affected Resource(s)

oci_vault_secret

Terraform Configuration Files

resource "oci_vault_secret" "secret" {
  for_each = {
    for secret in var.special_secrets :
    secret.name => secret
  }
  compartment_id = var.compartment_id
  secret_name    = each.key
  vault_id       = oci_kms_vault.vault.id
  key_id         = oci_kms_key.key.id
  secret_content {
    content_type = "BASE64"
    content      = base64encode(random_password.generated_password[each.key].result)
    name         = each.value.name
  }
}

Debug Output

│ Error: 400-InvalidParameter, name already exists
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message name already exists
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/vault_secret
│ API Reference: https://docs.oracle.com/iaas/api/#/en/secretmgmt/20180608/Secret/UpdateSecret
│ Request Target: PUT https://vaults.me-jeddah-1.oci.oraclecloud.com/xxx/secrets/ocid1.vaultsecret.oc1.me-jeddah-1.xxx
│ Provider version: 5.3.0, released on 2023-06-29. This provider is 1 Update(s) behind to current.
│ Service: Vault Secret
│ Operation Name: UpdateSecret

Expected Behavior

It should update secret as it showing in plan

  # oci_vault_secret.secret["argocd_password"] will be updated in-place

Actual Behavior

 Error: 400-InvalidParameter, name already exists
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message name already exists
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/vault_secret
│ API Reference: https://docs.oracle.com/iaas/api/#/en/secretmgmt/20180608/Secret/UpdateSecret
│ Request Target: PUT https://vaults.me-jeddah-1.oci.oraclecloud.com/20180608/secrets/ocid1.vaultsecret.oc1.me-jeddah-1.xxx
│ Provider version: 5.3.0, released on 2023-06-29. This provider is 1 Update(s) behind to current.
│ Service: Vault Secret
│ Operation Name: UpdateSecret
│ OPC request ID: xxx/xxx/xxx

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[tf-oci-pub]

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

[thpham]

hello, this issue is also blocking my team. Could you please provide an ETA on possible workaround or resolution ?

[michaelprice232]

Is there any update on this issue?

[robertmarsal]

Looks like updating the secret_content.name when changing the secret value doesn't change the user facing secret name and updates it in place by creating another version

[analogrithems]

This effectively breaks this service since you never know when a proposed change will lockup terraform stacks. Even something as small as a freeform tag causes this error. Currently only fix is to destroy and recreate but with a limit of 10 you may not be able to do that.

[analogrithems]

Looks like updating the secret_content.name when changing the secret value doesn't change the user facing secret name and updates it in place by creating another version

That wasn't my experience with any of that last 11 provider build versions 5.35.0 - 5.46.0

[robertmarsal]

The problem still exists in 6.8.0 but changing the secret_content.name does work for me to create a new version of a secret.