Terraform test fails when read-only attribute is present in resource configuration

Terraform
1

Hi, I am trying to create a unit test for a resouce that has a read-only attribute in its configuration. The test errors due to the read-only attribute, and the suggested solution is to remove the configuration line setting the value. However, this is not possible as it would change the underlying behaviour of the resource. How do I handle read-only attributes in the terraform test framework?

Below is the resource that I am creating:

resource "dbtcloud_global_connection" "this" {
  name                   = "snowflake-conn"
  oauth_configuration_id = data.azurerm_key_vault_secret.oauth_configuration_id.value
  snowflake = {
    account                   = "XXXXXX"
    database                  = var.snowflake_database
    role                      = var.snowflake_role
    warehouse                 = var.snowflake_warehouse
    client_session_keep_alive = true
  }
}

The test is:

mock_provider "dbtcloud" {}

mock_provider "azurerm" {
  mock_data "azurerm_key_vault" {
    defaults = {
      id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/key"
    }
  }
  mock_data "azurerm_key_vault_secret" {
    defaults = {
      value = "123"
    }
  }
}


variables {
  snowflake_account   = "XXXXXX"
  snowflake_database  = "my-db"
  snowflake_role      = "my-role"
  snowflake_warehouse = "my-wh"
}


 run "valid_configuration_of_dbtcloud_global_connection" {
   command = plan

   assert {
     condition     = startswith(dbtcloud_global_connection.this.snowflake.account, "XXXXXX") == true
     error_message = "The dbt cloud global connection must be connected to the right Snowflake account"
   }
 }

And it fails with the error

tests\main.tftest.hcl... in progress
  run "valid_configuration_of_dbtcloud_global_connection"... fail
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with dbtcloud_global_connection.this,
│   on main.tf line 19, in resource "dbtcloud_global_connection" "this":
│   19:   oauth_configuration_id = data.azurerm_key_vault_secret.oauth_configuration_id.value
│ 
│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration
│ line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for additional information about
│ configurable and read-only attributes that are supported.
╵
tests\main.tftest.hcl... tearing down
tests\main.tftest.hcl... fail

Failure! 0 passed, 1 failed.

If I remove the oauth_configuration_id attribute, the resource is created with oauth_configuration_id: null in the state, so oauth_configuration_id is both an optional parameter and a read-only parameter associated with the resource. Is this a bug from the provider, or is it a valid configuration of a terraform resource? If its the former, I can create an issue with the dbtcloud provider, or else I would highly appreciate any help on this case.

Cheers!

2

Hi @marialinea1,

If the provider has declared oauth_configuration_id as a computed, read-only attribute, you cannot assign a value to that in the configuration. If it’s something which should be set via configuration, then you would need to raise an issue with the provider.

3

Your test passes for me locally (with or without the command = plan – apply should work fine with the mock provider) with:

Terraform v1.11.0
on darwin_arm64
+ provider registry.terraform.io/dbt-labs/dbtcloud v0.3.24
+ provider registry.terraform.io/hashicorp/azurerm v4.21.1

% terraform test
test.tftest.hcl... in progress
  run "valid_configuration_of_dbtcloud_global_connection"... pass
test.tftest.hcl... tearing down
test.tftest.hcl... pass

Success! 1 passed, 0 failed.

I had to rough in the variables and some of the other supporting resources (just with fake data) to make that work, but this is what I had:

provider "dbtcloud" {
  account_id = "123456"
  token      = "faketoken"
}

data "azurerm_key_vault" "test" {
  name                = "secret-sauce"
  resource_group_name = "foo"
}

data "azurerm_key_vault_secret" "oauth_configuration_id" {
  name         = "secret-sauce"
  key_vault_id = data.azurerm_key_vault.test.id
}