integrations
[BUG]: v6.7.5 destroy_on_drift forces all github_actions_secret resources to be recreated
Expected Behavior
We have been using github_actions_secret resources for a long time, and we haven't introduced drift by changing these secrets outside of Terraform. We expect to be able to upgrade to the newest provider version without any terraform plan diffs and without recreating all our secrets.
Actual Behavior
When dependabot proposes an upgrade to 6.7.5, the terraform plan diffs show that all github_actions_secret resources will be recreated due to + destroy_on_drift = true # forces replacement.
And note that this happens with 100% of our github_actions_secret resources, of which we have 47 total. If it was only one or two I might suspect that we actually had configuration drift, but when it's 100% of the resources, I don't suspect actual drift.
Terraform Version
$ terraform version
Terraform v1.13.3
on darwin_arm64
+ provider registry.terraform.io/integrations/github v6.7.5
Affected Resource(s)
- github_actions_secret
Terraform Configuration Files
resource "github_actions_secret" "datadog_api_key" {
for_each = toset([
"some_repo",
])
repository = each.key
secret_name = "DD_API_KEY"
plaintext_value = data.aws_kms_secrets.datadog.plaintext["api_key"]
}
Steps to Reproduce
- Create a resource like the above using provider version 6.7.0 (or earlier). It will be created as expected.
- Run a
terraform planand see that there are no diffs, which is also as expected. - Upgrade to v6.7.5.
- Run a
terraform planand see that your secret will be recreated.
-/+ resource "github_actions_secret" "datadog_api_key" {
~ created_at = "2024-07-08 20:10:17 +0000 UTC" -> (known after apply)
+ destroy_on_drift = true # forces replacement
~ id = "some_repo:DD_API_KEY" -> (known after apply)
~ updated_at = "2024-07-08 20:10:17 +0000 UTC" -> (known after apply)
# (4 unchanged attributes hidden)
}
Debug Output
Panic Output
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
