terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
secret_text_bindings on cloudflare_worker_script are not removed from the worker
Confirmation
- [X] My issue isn't already found on the issue tracker.
- [X] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Cloudflare provider version
Terraform v1.4.5 on darwin_arm64
cloudflare = { source = "cloudflare/cloudflare" version = "~> 4.3.0" }
Affected resource(s)
- cloudflare_worker_script (secret_text_bindings)
Terraform configuration files
FIRST RUN
resource "cloudflare_worker_script" "helloworld" {
account_id = var.cloudflare_account_id
name = "${var.environment}-helloworld"
content = file("functions/helloworld/index.js")
compatibility_date = "2023-03-27"
plain_text_binding {
name = "PLAIN_1"
text = "pt1"
}
plain_text_binding {
name = "PLAIN_2"
text = "pt2"
}
secret_text_binding {
name = "secret_1"
text = "secretOne"
}
secret_text_binding {
name = "secret_2"
text = "secretTwo"
}
}
SECOND RUN
resource "cloudflare_worker_script" "helloworld" {
account_id = var.cloudflare_account_id
name = "${var.environment}-helloworld"
content = file("functions/helloworld/index.js")
compatibility_date = "2023-03-27"
plain_text_binding {
name = "PLAIN_1"
text = "pt1"
}
secret_text_binding {
name = "secret_1"
text = "secretOne"
}
}
Link to debug output
https://gist.github.com/ecclesm/b513a3109a5723d8dfaff36822efb88f
Panic output
No response
Expected output
On each deploy, if am existing secret_text_binding is not included, terraform will remove it from the worker.
This expected behaviour is seen on a plain text binding.
Actual output
It looks like terraform recognises the binding needs to be removed, however the secret binding is still present on the worker after deploy.
For the below the 4 bindings were created on the initial deploy. On the following deploy I removed the second of each type, but only the plain text binding was removed.
First Run
Second Run
Steps to reproduce
- Do an initial deployment with a secret text binding on the worker
- Remove the secret binding, deploy again and observe in the workers console that the secret binding is still present.
Additional factoids
No response
References
No response
Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
also sad that 'ignore_changes' isn't works for example, if I set
lifecycle {
ignore_changes = [
secret_text_binding
]
}
I will get the error:
cloudflare_worker_script.main["test"]: Modifying... [id=hello_world2]
╷
│ Error: error updating worker script: Text for binding "SECRET" cannot be empty
│
│ with cloudflare_worker_script.main["test"],
│ on main.tf line 21, in resource "cloudflare_worker_script" "main":
│ 21: resource "cloudflare_worker_script" "main" {
this is because terraform can't read secret value (because of API changed) and function inside cloudflare-go failed - https://github.com/cloudflare/cloudflare-go/blob/5237e486f2a39aa4432b185af29e860fa30704f9/workers_bindings.go#L231
