How to have an Terraform resource attribute which requires only during create but not in the response

Hi Team,

Need your help on the provider development using the plugin framework. I’m trying to set up a schema in the resource.go file. I set up an attribute which is required only during create as it is a sensitive attribute and it won’t be present in the response which is causing the below error. I tried multiple ways to accommodate like keeping the required:true ; optional:true and computed:true ; sensitive:true etc…nothing worked. I got below error

2024-04-27T15:09:36.989+0530 [ERROR] vertex “xxxx.cred” error: Provider produced inconsistent result after apply ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to xxxx.cred, provider │ "provider[""]" produced an unexpected new value: │ .secret_key: inconsistent values for sensitive attribute.
Basically I need to handle an attribute required only during create but shouldn’t be present in the response which needs to be solved.

Hi @harashee,

The terraform managed resource lifecycle requires that all configured attributes remain consistent throughout all operations. If you attempt to remove the attribute only from the response, it would cause an inconsistency in the configuration when the resource object changes between plan and apply, which could then result in downstream errors within other managed resources which may reference the resource in question.

The value not being returned by the API doesn’t change Terraform’s expectation that you’ll handle it correctly in Read() and Update().

In the case of Read(), copy the value from the prior state into the object you use with resp.State.Set()

In the case of Update(), copy the value from the plan into the object you use with resp.State.Set().

You won’t be able to do drift detection/correction, but Terraform should run without error.

Thanks for your response. Yes I get that inconsistency issue. However our API is designed in such a way that sensitive attributes which are sent as part of request payload won’t be returned in the same GET response as a plain text. In this case, how can I handle in Terraform resource create() and read() functions where I get the response and update the plan/state accordingly. I tried to skip the attribute while updating and setting in plan structure and state structure OR if I try to add empty string “” like this without removing from response (not the right way as I’m changing the actual response by adding this attribute which is actually not present in the response). How to handle this case?