Sensitive environment variables being forced replaced

[DeGuitard]

We're defining stack's environment variables this way:

resource "spacelift_environment_variable" "my_secret" {
  stack_id   = spacelift_stack.my_stack.id
  name       = "my_secret"
  write_only = true
}

They get created as intended, with a null value. Then we're setting the actual value through the UI, since we do not want our secrets to be persisted in a git repository.

The problem is that future plans give this output:

  # spacelift_environment_variable.my_secret must be replaced
-/+ resource "spacelift_environment_variable" "my_secret" {
      ~ checksum   = "45b87ae48bb7a21b98c574efb56c0331ea8ad7445ee1176ffbc31a9948fb6752" -> (known after apply)
      ~ id         = "stack/my_stack/my_secret" -> (known after apply)
        name       = "my_secret"
      - value      = (sensitive value) -> null # forces replacement
        # (2 unchanged attributes hidden)
    }

The way I read it, the code says the value should be null, so it's trying to overwrite the secret to set it back to null. So that's my problem. I've looked in the documentation, but could not find the proper way to handle this case. Am I missing something?

[marcinwyszynski]

If you don't want the value change to trigger a resource recreation, you can use Terraform's lifecycle meta-argument like this:

resource "spacelift_environment_variable" "my_secret" {
  stack_id   = spacelift_stack.my_stack.id
  name       = "my_secret"
  write_only = true

  lifecycle {
    ignore_changes = [value]
  }
}

You can read more about it here.

Since it's really a Terraform question rather than the provider one, I am going to close this ticket.