'Terraform secret value not updating
I am having trouble with secret value update. If I recreate azurerm_windows_function_app with new name the new ID is not being updated in secret value. The secret will contain old ID of the azurerm_windows_function_app.
resource "azurerm_windows_function_app" "function_app" {
name = "function-app"
resource_group_name = azurerm_resource_group.xxxx.name
location = azurerm_resource_group.xxxx.location
storage_account_name = azurerm_storage_account.xxx.name
service_plan_id = azurerm_service_plan.xxxx.id
site_config {}
}
resource "azurerm_key_vault_secret" "function_app_id" {
name = "function-app-id"
value = azurerm_windows_function_app.function_app.id
key_vault_id = var.vault_id
}
Solution 1:[1]
It's hard to say that it is a Terraform or AzureRM Provider's bug. This behavior is by design and I think it's very hard for HashiCorp to change that.
Terraform workflow have two different stages: Plan and Apply.
If you change value of azurerm_key_vault_secret, it'll cause a re-creation and id will change,
but in Plan stage Terraform cannot be aware that, so the execution plan it generated won't realize that the content in your azurerm_function_app will changed.
As a rather easy sample as below:
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example"
location = "East Asia"
}
resource "azurerm_key_vault" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.client_id
key_permissions = [
"create",
"get",
]
secret_permissions = [
"set",
"get",
"delete",
"purge",
"recover"
]
}
}
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
resource "local_file" "output" {
filename = "${path.module}/output.txt"
content = azurerm_key_vault_secret.example.id
}
In this case, if you change value in azurerm_key_vault_secret, output file's content won't change until next time you run apply.
But, there's a walkaround:
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example"
location = "East Asia"
}
resource "azurerm_key_vault" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.client_id
key_permissions = [
"create",
"get",
]
secret_permissions = [
"set",
"get",
"delete",
"purge",
"recover"
]
}
}
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
resource "null_resource" "example" {
triggers = {
trigger = azurerm_key_vault_secret.example.value
}
}
resource "local_file" "output" {
filename = "${path.module}/output.txt"
content = null_resource.example.id != "" ? azurerm_key_vault_secret.example.id : ""
}
We can leverage null_resource, especially triggers to "notify" downstream that the id as been changed.
In this case, you will see an immediate forces replacement on local-file.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | RajkumarMamidiChettu-MT |