Override diffing when dealing with encrypted data

First time I’m creating a custom provider so I’m sorry if this is a silly question to ask. One of the resources is taking a Kubernetes secret and encrypting it as a sealed secret then pushing it to a Git repository.

I have noticed an issue with the Terraform diffing of this value. In the ReadContext func I’m grabbing the requested resource from Git and then setting the value using the Set func from ResourceData. The problem is that this value is encrypted in Git and comparing it with the current value in the main.tf will always trigger an update since that value is in cleartext.

I have tried using the CustomizeDiff in the schema.Resource, but I have not been able to working the way I want it to.

One way to solve this is to override the Terraform diffing by encrypting the value in main.tf and comparing it with the value stored in Git.
Is this possible, or have I misunderstood the problem?

Hi @akselleirv,

Often in situations like this a provider would be written to just ignore the remove value in ReadContext, because it seems like your target system intends for this to be a write-only value, or at least that it can’t be read back by the same process that wrote it.

In that case, you’ll still be able to detect whether the configuration changed in a future plan (because your state will record the last known cleartext) but you won’t be able to detect “drift” if someone changes the value outside of Terraform. That’s a compromise we typically need to make for write-only values: there are various existing examples of this in other providers, ideally documented as part of the resource type reference docs.

If you do want to read it back in ReadContext, I think you’d need to decrypt the data and write that result into the attribute, so that it can potentially match with what’s written in the configuration.

Hello @apparentlymart ,

Thank you for your reply. I’m not sure if the sealed secret controller allows for extracting the private key. For now I’ll go for the write-only option.