[Bug]: vault_kv_secret (v1) doesn't refresh `data_json` and doesn't detect drift
joey-squid opened this issue · comments
Joey Marianer commented
Terraform Core Version
v1.6.2, v1.7.3
Terraform Vault Provider Version
v3.25.0
Vault Server Version
v1.15.5 (on HCP)
Affected Resource(s)
vault_kv_secret
Expected Behavior
Expected the change to be detected as drift and a plan to be in place to correct it back to joey1
.
Actual Behavior
vault_kv_secret.test_secrets: Refreshing state... [id=joey/supersecret]
No changes. Your infrastructure matches the configuration.
I have also provided the full output of terraform state pull
as a snippet, below. Note the discrepancy between data
and data_json
.
Relevant Error/Panic Output Snippet
{
"version": 4,
"terraform_version": "1.7.3",
"serial": 4,
"lineage": "83627fd8-5369-2b3a-747b-1500de8377de",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "vault_kv_secret",
"name": "test_secrets",
"provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"data": {
"value": "joey2"
},
"data_json": "{\"value\":\"joey1\"}",
"id": "joey/supersecret",
"namespace": null,
"path": "joey/supersecret"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
}
],
"check_results": null
}
Terraform Configuration Files
provider "vault" {
address = "REDACTED"
namespace = "admin"
}
resource "vault_kv_secret" "test_secrets" {
path = "joey/supersecret"
data_json = jsonencode({
value : "joey1",
})
}
Steps to Reproduce
Created a resource:
resource "vault_kv_secret" "test_secrets" {
path = "joey/supersecret"
data_json = jsonencode({
value : "joey1",
})
}
Ran Terraform, then changed the secret to joey2
in the Vault UI. Ran terraform refresh
, then terraform plan
.
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
Joey Marianer commented
I'm no expert but I think this might be as simple as the following patch:
diff --git a/vault/resource_kv_secret.go b/vault/resource_kv_secret.go
index 0d666d6f..1e10c6b2 100644
--- a/vault/resource_kv_secret.go
+++ b/vault/resource_kv_secret.go
@@ -108,6 +108,15 @@ func kvSecretRead(_ context.Context, d *schema.ResourceData, meta interface{}) d
return diag.FromErr(err)
}
+ jsonData, err := json.Marshal(data)
+ if err != nil {
+ return diag.Errorf("error marshaling JSON for %q: %s", path, err)
+ }
+
+ if err := d.Set(consts.FieldDataJSON, string(jsonData)); err != nil {
+ return diag.FromErr(err)
+ }
+
return nil
}
John-Michael Faircloth commented
Closed by #2207