Terraform test fails when read-only attribute is present in resource configuration

Terraform
1

Hi, I am trying to create a unit test for a resouce that has a read-only attribute in its configuration. The test errors due to the read-only attribute, and the suggested solution is to remove the configuration line setting the value. However, this is not possible as it would change the underlying behaviour of the resource. How do I handle read-only attributes in the terraform test framework?

Below is the resource that I am creating:

resource "dbtcloud_global_connection" "this" {
  name                   = "snowflake-conn"
  oauth_configuration_id = data.azurerm_key_vault_secret.oauth_configuration_id.value
  snowflake = {
    account                   = "XXXXXX"
    database                  = var.snowflake_database
    role                      = var.snowflake_role
    warehouse                 = var.snowflake_warehouse
    client_session_keep_alive = true
  }
}

The test is:

mock_provider "dbtcloud" {}

mock_provider "azurerm" {
  mock_data "azurerm_key_vault" {
    defaults = {
      id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/key"
    }
  }
  mock_data "azurerm_key_vault_secret" {
    defaults = {
      value = "123"
    }
  }
}


variables {
  snowflake_account   = "XXXXXX"
  snowflake_database  = "my-db"
  snowflake_role      = "my-role"
  snowflake_warehouse = "my-wh"
}


 run "valid_configuration_of_dbtcloud_global_connection" {
   command = plan

   assert {
     condition     = startswith(dbtcloud_global_connection.this.snowflake.account, "XXXXXX") == true
     error_message = "The dbt cloud global connection must be connected to the right Snowflake account"
   }
 }

And it fails with the error

tests\main.tftest.hcl... in progress
  run "valid_configuration_of_dbtcloud_global_connection"... fail
β•·
β”‚ Error: Invalid Configuration for Read-Only Attribute
β”‚ 
β”‚   with dbtcloud_global_connection.this,
β”‚   on main.tf line 19, in resource "dbtcloud_global_connection" "this":
β”‚   19:   oauth_configuration_id = data.azurerm_key_vault_secret.oauth_configuration_id.value
β”‚ 
β”‚ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration
β”‚ line setting the value.
β”‚ 
β”‚ Refer to the provider documentation or contact the provider developers for additional information about
β”‚ configurable and read-only attributes that are supported.
β•΅
tests\main.tftest.hcl... tearing down
tests\main.tftest.hcl... fail

Failure! 0 passed, 1 failed.

If I remove the oauth_configuration_id attribute, the resource is created with oauth_configuration_id: null in the state, so oauth_configuration_id is both an optional parameter and a read-only parameter associated with the resource. Is this a bug from the provider, or is it a valid configuration of a terraform resource? If its the former, I can create an issue with the dbtcloud provider, or else I would highly appreciate any help on this case.

Cheers!

2

Hi @marialinea1,

If the provider has declared oauth_configuration_id as a computed, read-only attribute, you cannot assign a value to that in the configuration. If it’s something which should be set via configuration, then you would need to raise an issue with the provider.

3

Your test passes for me locally (with or without the command = plan – apply should work fine with the mock provider) with:

Terraform v1.11.0
on darwin_arm64
+ provider registry.terraform.io/dbt-labs/dbtcloud v0.3.24
+ provider registry.terraform.io/hashicorp/azurerm v4.21.1

% terraform test
test.tftest.hcl... in progress
  run "valid_configuration_of_dbtcloud_global_connection"... pass
test.tftest.hcl... tearing down
test.tftest.hcl... pass

Success! 1 passed, 0 failed.

I had to rough in the variables and some of the other supporting resources (just with fake data) to make that work, but this is what I had:

provider "dbtcloud" {
  account_id = "123456"
  token      = "faketoken"
}

data "azurerm_key_vault" "test" {
  name                = "secret-sauce"
  resource_group_name = "foo"
}

data "azurerm_key_vault_secret" "oauth_configuration_id" {
  name         = "secret-sauce"
  key_vault_id = data.azurerm_key_vault.test.id
}
4

I’m now running into a similar issue - in this case, Terraform is unhappy that the mock provider is returning a value for a write-only attribute.

Couldn’t find an existing issue, so filed one:

1 Like
5

Thanks for the clarification, @jbardin! Sounds like there might be a problem with how the resource is defined on the provider side, given that oauth_configuration_id is present as a read-only attribute and a configurable parameter for the resource given that I am able to create the resource with a specified value for oauth_configuration_id. I will inquire further with the provider.

6

Thanks for looking into the issue @wyardley ! I am still not sure how you managed to pass the test based on your first post. Hopefully the error is on the mock provider side as suggested in your issue.

7

I am not sure the read-only attribute issue is similar to / related to the w/o attribute though thanks to Liam for an insanely quick fix to that one!).

Does my little self-contained example with bogus values pass for you locally?

8

A crucial point that slipped my mind when creating my original post was to add the version of the dbt cloud provider. I was running 0.3.12. Upgrading to 0.3.24 (as mentioned in initial your post) solved the issue, and the test passed locally. Thanks again, I consider the issue resolved.