terraform-provider-bigip
terraform-provider-bigip copied to clipboard
F5Networks
bigip_ltm_profile_http encrypt_cookie_secret plan diffs
Environment
- TMOS/Bigip Version: 15.1.10.2
- Terraform Version: 1.4.6
- Terraform bigip provider Version: 1.21.0
Summary
When using encrypt_cookie_secret to encrypt cookies using an http profile the value passed differs from what is visible on appliances (due to secret hashing on the appliance). As a result, if you use this parameter your plans will always contain drift:
~ resource "bigip_ltm_profile_http" "http_profile" {
~ encrypt_cookie_secret = (sensitive value)
id = "/Common/http_profile"
name = "/Common/http_profile"
}
Steps To Reproduce
1 - Create an http profile using the bigip_ltm_profile_http resource 2 - Provide values for the encrypt_cookies parameter (the list of cookies you would like to encrypt) and the encrypt_cookie_secret parameter (the passphrase to encrypt your cookies with) 3 - Run Terraform apply to deploy this resource to your appliance 4 - Run Terraform plan again to see drift between what is stored within Terraform state and what is present on the appliance
Expected Behavior
When using encrypt_cookie_secret you should not be seeing drift for every subsequent plan when no configuration has changed.
Actual Behavior
The value of encrypt_cookie_secret is set using plaintext and the value stored on the appliance is hashed. As a result, Terraform plan will always yield drift:
~ resource "bigip_ltm_profile_http" "http_profile" {
~ encrypt_cookie_secret = (sensitive value)
id = "/Common/http_profile"
name = "/Common/http_profile"
}
Hi @edavie,
Since it's a sensitive entity idempotency will fail in the update call. Documentation will be updated.
