creates an Azure KV secret which should take a value of this secret:
resource “azurerm_key_vault_secret” “key_vault_secret” {
name = “kv-secret”
value = azuread_application_password.client_service_principal_password.value
key_vault_id = azurerm_key_vault.key_vault.id
}
both the application secret and KV secret were not created by this run. App registration secret was imported (essentially it existed in App registration earlier) and I have access to it via the tf state. KV secret was there created manually and imported to the state as well. When I run terraform plan, I can see that terraform wants to alter the value of the KV secret. The difference in secrets comes from the fact that the original app registration secret contains “\” (for the sake of example - “34rwfr\234r23,n”) and while the terraform copies it’s value to put it in the KV secret, it wants to put there a string reduced to one backslash: “34rwfr\234r23,n”.
Is there a way to block this behaviour?
Terraform version: Terraform v1.14.5
azurerm version: v4.56.0
Thanks for any hints!
Terraform doesn’t support single quotes instead of double around strings. So I think you’ll need either \\or \\\\ for each single literal backslash inside a double-quoted string to avoid having a permadiff.
Hi thanks for the reply!
I just saw I made a mistake in the example I put: it should be “34rwfr\\234r23,n” and terraform changes it to “34rwfr\234r23,n”, but seems like you got it rights anyway.
So from what you say, there is no other resolution for it than putting the
in some conditional statement that checks if the value of the password has a \ and if it does, it should be changed to \ in the value copied to the KV?
I think we need a complete, reproducible example here to be sure we’re talking about the same thing. The \ escape character is only relevant in the serialized form of a value, i.e. when you write that value in the configuration literally, you must escape a \ within a quoted string as "\\". If you print out a value as a quoted string, and it contains a \, then that must be properly escaped as "\\". That does not mean the stored value has two backslashes, it’s just how unicode strings are commonly handled.
If you are referring to a resource’s attribute, Terraform will not change the string value, the series of utf8 characters will remain exactly the same. If you think you need to do this, it means there is a problem elsewhere, either a misunderstanding of what the true value actually is, a restriction in what characters are allowed in some other context, or a bug in the provider – and the usual culprit is the first of those.
in the tfstate the secret value is exactly the same as in the azuread_application_password value that I can also read using the tfstate, but while looking in the KV secret in portal (and then also in the Kubernetes pod where this value is copied from the KV secret) the value is missing one backslash. This leads me to conclusion that it is not a terraform issue but rather an azurerm problem.
Are you certain there actually is a problem, as in is there anything not working?
My interpretation of what you’re showing is that the azure portal is not escaping the \ in a standard way. The sequence \U typically indicates the start of a unicode escape sequence within a quoted string, and what is there is invalid in that context. Since it’s an invalid string, I would assume it’s just showing the raw characters, in which case it would match what is in the Terraform state.
There is a possibility that the provider or Azure service is incorrectly quoting/unquoting the data and losing a \ in translation, but I agree that this does not look like a Terraform problem.
Yes, after deeper investigation I agree - the Terraform passes the string correctly and it is the Azure provider which then modifies into single backslash.
