Open
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to a user, that user is claiming responsibility for the issue.
- Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.
Terraform Version & Provider Version(s)
Terraform v1.5.7
on linux_amd64
- Installing hashicorp/tls v4.0.6...
- Installed hashicorp/tls v4.0.6 (signed by HashiCorp)
- Installing hashicorp/aws v3.76.1...
- Installed hashicorp/aws v3.76.1 (signed by HashiCorp)
- Installing hashicorp/google v6.24.0...
- Installed hashicorp/google v6.24.0 (signed by HashiCorp)
Affected Resource(s)
google_secret_manager_secret
Terraform Configuration
locals {
name = "example"
}
module "kms" {
source = "internal-module"
keyring_config = {
name = "example"
location = var.region
}
project_id = var.project_id
keys = {
temporal-test = {
name = local.name
prevent_destroy = false
}
}
labels = var.labels
}
resource "google_secret_manager_secret" "main" {
for_each = local.requests
project = var.project_id
secret_id = "tls-${each.key}"
labels = var.labels
replication {
user_managed {
replicas {
location = var.region
customer_managed_encryption {
kms_key_name = module.kms.keys[local.name]["id"]
}
}
}
}
}
resource "google_secret_manager_secret_version" "main" {
for_each = local.requests
secret = google_secret_manager_secret.main[each.key].id
secret_data = jsonencode({
<redacted>
})
}Debug Output
After recently upgrading a workspace to use the latest version of the GCP provider 6.24.0 and enabling default labels. I am getting a perpetual drift on a workspace for google_secret_manager_secret.
Example plan:
# module.example.google_secret_manager_secret.main["example-1"] will be updated in-place
~ resource "google_secret_manager_secret" "main" {
id = "projects/redacted/secrets/example-1"
name = "projects/redacted/secrets/example-1"
# (9 unchanged attributes hidden)
# (1 unchanged block hidden)
}
When I run my plan I get errors like the following:
2025-03-10T17:32:25.019Z [WARN] Provider "registry.terraform.io/hashicorp/google" produced an invalid plan for module.example.google_secret_manager_secret.main["example-1"], but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .labels: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_aliases: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_destroy_ttl: planned value cty.StringVal("") for a non-computed attribute
- .annotations: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
2025-03-10T17:32:25.020Z [WARN] Provider "registry.terraform.io/hashicorp/google" produced an invalid plan for module.example.google_secret_manager_secret.main["example-2"], but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .labels: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_aliases: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_destroy_ttl: planned value cty.StringVal("") for a non-computed attribute
- .annotations: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
2025-03-10T17:32:25.021Z [WARN] Provider "registry.terraform.io/hashicorp/google" produced an invalid plan for module.example.google_secret_manager_secret.main["example-3"], but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .labels: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_aliases: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
- .version_destroy_ttl: planned value cty.StringVal("") for a non-computed attribute
- .annotations: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
Here is an example state object:
# module.example.google_secret_manager_secret.main["example-1"]:
resource "google_secret_manager_secret" "main" {
annotations = {}
create_time = "2024-07-29T18:31:54.533826Z"
effective_annotations = {}
effective_labels = {
"env" = "production"
...<redacted>
}
id = "projects/redacted/secrets/example-1"
labels = {
"env" = "production"
...<redacted>
}
name = "projects/redacted/secrets/example-1"
project = "redacted"
secret_id = "example-1"
terraform_labels = {
"env" = "production"
...<redacted>
}
version_aliases = {}
replication {
user_managed {
replicas {
location = "us-east1"
customer_managed_encryption {
kms_key_name = "projects/redacted/locations/us-east1/keyRings/example/cryptoKeys/example"
}
}
}
}
}
### Expected Behavior
Idempotent runs
### Actual Behavior
A perpetual drift
### Steps to reproduce
1. `terraform apply`
2. `terraform apply` again and see drifted resources.
### Important Factoids
_No response_
### References
_No response_