terraform-provider-digitalocean icon indicating copy to clipboard operation
terraform-provider-digitalocean copied to clipboard

Published 20 hours ago verified publisher icon digitalocean

Terraform thinks there are changes due to comparing encrypted and plain environment variables for the app platform resources

Open snack-0verflow opened this issue 3 years ago • 1 comments

Bug Report

Describe the bug

The environment variable is a secret and will be encrypted, once applied the value the encrypted value will always be different to the encrypted value. Which will cause changes to occur with terraform plan.

I'm just curious has anyone got a suggest for this? (Avoid unchanged encrypted values to not cause changes, due to comparison to provided value and applied value from digitalocean as they encrypt it for you)

Affected Resource(s)

  • digitalocean_app

Expected Behavior

No changes to environment vars, expect no changes to terraform plan

Actual Behavior

Digitalocean can encrypt the value which causes value to be different to the unencrypted value provided. This results in terraform plan always thinks there are changes to the environment variables (ones i'm attaching to the service within digitalocean app)

Steps to Reproduce

  • Create a terraform setup with 1 digitalocean_app with secret environment variables
  • execute terraform plan & terraform apply
  • execute terraform plan again (it will think you have changes)

Terraform Configuration Files

resource "digitalocean_app" "service" {
  spec {
    name   = "App"
    region = var.app.hosting.region
    service {
      env {
        key   = "DATABASE_HOST"
        value = var.app.database.cluster.host
        type  = "SECRET"
        scope = "RUN_AND_BUILD_TIME"
      }
  }
}

Terraform version

Debug Output

Panic Output

Additional context

Important Factoids

References

snack-0verflow avatar Aug 23 '22 13:08 snack-0verflow

We have the same behaviour on using Pulumi app deployments. Pulumi is using the terraform provider for doing these activities --> https://github.com/pulumi/pulumi-digitalocean/issues/308.

So this seems that it is the same bug.

driedel1987 avatar Sep 13 '22 07:09 driedel1987

Yes, I'm also facing the same issue. It's really quite annoying, since it always takes quite a lot of time to re-apply a bunch of changes.

Are there any updates on this? @danaelhe

Tobjoern avatar Sep 01 '23 06:09 Tobjoern

+1, apps take a long time to deploy, and if you have many of them in your workspace it can add an unsustainable amount of time to every apply.

StanScates avatar Sep 11 '23 04:09 StanScates

@Tobjoern @StanScates Thank you for bubbling this back up. We've pushed up an example that offers a workaround in #1030

We are aware this workaround adds a few more manual steps, but it should mitigate the issue enough until we find a better solution. Please feel free to offer feedback in that PR.

danaelhe avatar Sep 12 '23 14:09 danaelhe

Thanks for publishing this workaround @danaelhe! It does appear to be working for me.

A few notes on my experience for others wishing to use this workaround:

  • Since I'm using Terraform Cloud I needed to set the extension on the variables file to .auto.tfvars for TF Cloud to pick up the variables.
  • The first time I ran the apply after implementing this workaround, the plan detected changes to the env vars which was concerning to me, but after running the apply, subsequent plans no longer detect them as changed. I verified that the values remain correct and unchanged on the DO side, despite them ostensibly having been changed by the initial workaround apply.

Thanks again 💯

StanScates avatar Sep 13 '23 04:09 StanScates