terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: Permanent diff in vault_database_secret_backend_role when creation_statements contains whitespace

Open mark-at-nuna opened this issue 5 months ago • 0 comments
trafficstars

Terraform Core Version

1.12.2

Terraform Vault Provider Version

5.0.0

Vault Server Version

1.19.5

Affected Resource(s)

I have a vault_database_secret_backend_role with trailing whitespace in the creation statement.

Expected Behavior

The provider should probably ignore the trailing whitespace, or else return an error and force the user to fix it.

Actual Behavior

Every time I apply, I get the same plan diff:

  # vault_database_secret_backend_role.role will be updated in-place
  ~ resource "vault_database_secret_backend_role" "role" {
      ~ creation_statements   = [
          ~ "CREATE USER IF NOT EXISTS '{{name}}' IDENTIFIED BY '{{password}}'" -> "CREATE USER IF NOT EXISTS '{{name}}' IDENTIFIED BY '{{password}}' ",
        ]
        id                    = "db/mysql/roles/whatevz"
        name                  = "whatevz"
        # (8 unchanged attributes hidden)
    }

I can apply 5 times in a row and the diff never goes away. What I think is happening is that the server is silently truncating the whitespace, and then when Terraform refreshes, it appears to have changed.

Relevant Error/Panic Output Snippet

Terraform Configuration Files

resource "vault_database_secret_backend_connection" "mysql" {
  backend = vault_mount.mark_test.path
  name    = "mysql"

  mysql {
    username       = "root"
    password       = "insecure"
    connection_url = "{{username}}:{{password}}@tcp(mysql:3306)/"
  }
  allowed_roles = ["whatevz"]
}

resource "vault_database_secret_backend_role" "role" {
  backend             = vault_mount.mark_test.path
  name                = "whatevz"
  db_name             = vault_database_secret_backend_connection.mysql.name
  creation_statements = ["CREATE USER IF NOT EXISTS '{{name}}' IDENTIFIED BY '{{password}}' "]
}

This requires having a working MySQL server at hostname "mysql" and port 3306. Your environment may vary.

Steps to Reproduce

Create the above resources with "terraform apply" then run "terraform apply" again.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

mark-at-nuna avatar Jun 12 '25 13:06 mark-at-nuna