[Bug]: vault_kv_secret (v1) doesn't refresh `data_json` and doesn't detect drift

Question

[Bug]: vault_kv_secret (v1) doesn't refresh `data_json` and doesn't detect drift

joey-squid opened this issue 8 months ago · comments

Joey Marianer commented 8 months ago

Terraform Core Version

v1.6.2, v1.7.3

Terraform Vault Provider Version

v3.25.0

Vault Server Version

v1.15.5 (on HCP)

Affected Resource(s)

vault_kv_secret

Expected Behavior

Expected the change to be detected as drift and a plan to be in place to correct it back to joey1.

Actual Behavior

vault_kv_secret.test_secrets: Refreshing state... [id=joey/supersecret]

No changes. Your infrastructure matches the configuration.

I have also provided the full output of terraform state pull as a snippet, below. Note the discrepancy between data and data_json.

Relevant Error/Panic Output Snippet

{
  "version": 4,
  "terraform_version": "1.7.3",
  "serial": 4,
  "lineage": "83627fd8-5369-2b3a-747b-1500de8377de",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "vault_kv_secret",
      "name": "test_secrets",
      "provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "data": {
              "value": "joey2"
            },
            "data_json": "{\"value\":\"joey1\"}",
            "id": "joey/supersecret",
            "namespace": null,
            "path": "joey/supersecret"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }
  ],
  "check_results": null
}

Terraform Configuration Files

provider "vault" {
  address   = "REDACTED"
  namespace = "admin"
}

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Steps to Reproduce

Created a resource:

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Ran Terraform, then changed the secret to joey2 in the Vault UI. Ran terraform refresh, then terraform plan.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

Joey Marianer · Answer 1 · Thu Feb 15 2024 12:29:03 GMT+0800 (China Standard Time)

I'm no expert but I think this might be as simple as the following patch:

diff --git a/vault/resource_kv_secret.go b/vault/resource_kv_secret.go
index 0d666d6f..1e10c6b2 100644
--- a/vault/resource_kv_secret.go
+++ b/vault/resource_kv_secret.go
@@ -108,6 +108,15 @@ func kvSecretRead(_ context.Context, d *schema.ResourceData, meta interface{}) d
 		return diag.FromErr(err)
 	}
 
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return diag.Errorf("error marshaling JSON for %q: %s", path, err)
+	}
+
+	if err := d.Set(consts.FieldDataJSON, string(jsonData)); err != nil {
+		return diag.FromErr(err)
+	}
+
 	return nil
 }

John-Michael Faircloth · Answer 2 · Tue Mar 26 2024 04:53:38 GMT+0800 (China Standard Time)

Closed by #2207