terraform-provider-cloudflare icon indicating copy to clipboard operation
terraform-provider-cloudflare copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

cloudflare_access_identity_provider with google-apps marks secrets as unchanged when importing but wants to apply change anyway.

Open ronaldosaheki opened this issue 1 year ago • 4 comments

Confirmation

  • [X] My issue isn't already found on the issue tracker.
  • [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.5.7 on darwin_arm64

  • provider registry.terraform.io/cloudflare/cloudflare v4.25.0

Affected resource(s)

cloudflare_access_identity_provider

Terraform configuration files

resource "cloudflare_access_identity_provider" "google_apps" {
  account_id = var.account_id
  name       = "Google Workspace"
  type       = "google-apps"
  config {
    apps_domain   = "domain"
    client_id     = data.vault_generic_secret....data["client_id"]
    client_secret = data.vault_generic_secret....data["client_secret"]
    pkce_enabled  = true
  }
}

Link to debug output

too much sentitive info

Panic output

No response

Expected output

# cloudflare_access_identity_provider.google_apps will be imported
resource "cloudflare_access_identity_provider" "google_apps" {
        account_id = "<ACCT_ID>
        id         = "<ID>"
        name       = "Google Workspace"
        type       = "google-apps"

      config {
            apps_domain                = "<DOMAIN>"
            attributes                 = []
            claims                     = []
            client_id                  = "<CLIENT_ID>"
          # Warning: this attribute value will be marked as sensitive and will not
          # display in UI output after applying this change. The value is unchanged.
          client_secret              = (sensitive value)
        }
}

Plan: 1 to import, 0 to add, 0 to change, 0 to destroy

Actual output

# cloudflare_access_identity_provider.google_apps will updated in-place
~ resource "cloudflare_access_identity_provider" "google_apps" {
        account_id = "<ACCT_ID>
        id         = "<ID>"
        name       = "Google Workspace"
        type       = "google-apps"

      ~ config {
            apps_domain                = "<DOMAIN>"
            attributes                 = []
            claims                     = []
            client_id                  = "<CLIENT_ID>"
          # Warning: this attribute value will be marked as sensitive and will not
          # display in UI output after applying this change. The value is unchanged.
          ~ client_secret              = (sensitive value)
        }
}
Plan: 1 to import, 0 to add, 1 to change, 0 to destroy

Steps to reproduce

  1. Create terraform resource
  2. Use import { id= .. to=.. } with the same settings
  3. use terraform plan to check the import

Additional factoids

No response

References

No response

ronaldosaheki avatar Feb 22 '24 13:02 ronaldosaheki

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Feb 22 '24 13:02 github-actions[bot]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

github-actions[bot] avatar Feb 22 '24 13:02 github-actions[bot]

The client_id and client_secret is the same.

ronaldosaheki avatar Feb 22 '24 13:02 ronaldosaheki

looks like this is expected behaviour, because according to comments in the provider code:

client_secret is a write only operation from the Cloudflare API and once it's set, it is no longer accessible.

Nmishin avatar Feb 25 '24 00:02 Nmishin

Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] avatar Mar 27 '24 00:03 github-actions[bot]

This issue was closed because it has been stalled for 7 days with no activity.

github-actions[bot] avatar Apr 03 '24 00:04 github-actions[bot]