Using updated attributes during planning phase

magne · August 24, 2021, 12:04pm

I have a provider resource that retrieves login information from an azure keyvault secret data source. Somewhat like this:

data "azurerm_key_vault" "kv" {
  name                = "MyKeyVualt"
  resource_group_name = "My-RG"
}

data "azurerm_key_vault_secret" "mysecret" {
  name         = "my-secret"
  key_vault_id = data.azurerm_key_vault.kv
}

resource "my_provider" "my_resource" {
  username = "user"
  password = data.azurerm_key_vault_secret.mysecret.value
}

If we ignore for now that the azurerm_key_vault_secret data source will not read a new version of the secret; if the value of the data source changes, how can I access this new value in my provider’s password attribute during the planning phase? I’m currently getting the value stored in the terraform state, which is now invalid. Without the new password, I can’t log in to the backend and get the current values from the backend resource, and actually my provider now fails the read with an unauthorized error.

brettjacobson · August 26, 2021, 12:35pm

I’m now really worried about this; this feels like a serious design flaw if true. I’ve yet to do my own testing, as we have the exact same scenario (but for a private provider’s credentials), but I’d like a statement from HashiCorp on this.

magne · September 6, 2021, 8:21am

bump Does anyone in the know have any info on this?

paddy · September 9, 2021, 3:32pm

The way Terraform works, by my recollection, is to refresh the state first, including reading data sources, then generate a plan. So you should already be getting the latest value during plan. I think (I’m not sure, a Terraform core engineer would know more) that the graph can sometimes make this complicated–e.g., a data source depending on a computed value of a resource may have a different behavior–but I’d imagine that depending on another data source wouldn’t trigger that. I could be wrong, though. Even then, however, a practitioner should see “(value known after apply)” or whatever, not the old value. And I’m not sure what the SDK would surface during CustomizeDiff–I have some recollection that it may be a UUID, but I’m also suspicious that it may just be the empty value for that type. Could be wrong, though.

Are you trying to access the value in CustomizeDiff?

Topic		Replies	Views
Updating Key Vault Secret values and their dependent resources Azure	1	1368	December 8, 2022
Data source doesn't refresh contents while planning Terraform vault	2	347	June 8, 2022
Add subscription id parameter to azurerm_key_vault_secret Terraform	6	1036	April 15, 2020
Data Resource: Read computed value from state Plugin Development	6	1106	December 9, 2020
Is there a way in terraform to give users choice of authentication ( like password or keyvault... etc) at the input level? Terraform	0	333	June 16, 2020

Using updated attributes during planning phase

Related topics