terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: no drift detection for `connection_url` in resource `database_secret_backend_connection`

Open ghthor opened this issue 1 year ago • 0 comments

Terraform Core Version

1.6.3

Terraform Vault Provider Version

3.22.0

Vault Server Version

1.11.4

Affected Resource(s)

  • database_secret_backend_connection

Expected Behavior

If the connection_url is changed outside of terraform then terraform plan should detect this drift and show an update in place of the resource.

Actual Behavior

terraform plan does NOT show an update as it only compares the connection_url to what already exists within the state, not with the value from the read from vault in the upstream resource.

https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Please see the contents of this repository for a reproducible example environment complete with Vault/Postgres and the terraform configuration files.

https://github.com/ghthor/terraform-provider-vault-bugs/blob/main/database-backend-connection_url-drift-detection/main.tf

Steps to Reproduce

  1. create a vault_database_secret_backend_connection using terraform
  2. modify the connection_url out of band from terraform
  3. run terraform plan and notice no changes planned for the connection_url
  4. remove the resource from the terraform state with terraform state rm and then import it
  5. run terraform plan and notice that the connection_url doesn't match what was is declared in the configuration

For a complete reproducible testing environment please see the following repository

https://github.com/ghthor/terraform-provider-vault-bugs/tree/main/database-backend-connection_url-drift-detection

Debug Output

No response

Panic Output

No response

Important Factoids

I believe this is directly caused by the following line in the provider that is checking if the current state has a connection_url and if it does then ignores the upstream response from vault.

https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_database_secret_backend_connection.go#L1006

	if v, ok := d.GetOk(prefix + "connection_url"); ok {
		result["connection_url"] = v.(string)
	} else {
		if v, ok := data["connection_url"]; ok {
			result["connection_url"] = v.(string)
		}
	}

References

No response

Would you like to implement a fix?

Yes

ghthor avatar Nov 08 '23 11:11 ghthor