Open
Description
Describe the bug
When managing an avi_certificatemanagementprofile resource, the script_params block repeatedly triggers in-place updates on sensitive parameters. Even though the configuration may not have changed, Terraform consistently detects that fields are replaced with actual passwords. This discrepancy results in needless updates every time a plan is generated.
Likely related to #619 as the sensitive parameters are obfuscated in state when they probably should not be.
{
"is_dynamic": "false",
"is_sensitive": "true",
"name": "password",
"value": "\u003csensitive\u003e"
},
{
"is_dynamic": "false",
"is_sensitive": "true",
"name": "infoblox_password",
"value": "\u003csensitive\u003e"
},Reproduction steps
- Define a avi_certificatemanagementprofile resource in Terraform that includes one or more sensitive script parameters (e.g., password, infoblox_password).
- Provide values for these script parameters, which will be marked as in state.
- Run terraform apply to provision the resource.
- Run terraform plan again without altering the resource definition.
- Observe that Terraform reports changes for the same script parameters, showing replaced with actual values, prompting an in-place update.
terraform {
required_providers {
avi = {
source = "vmware/avi"
version = "30.2.2"
}
}
}
provider "avi" {
avi_username = "USER"
avi_password = "PASSWORD"
avi_controller = "avicontroller.contoso.com"
avi_tenant = "admin"
avi_version = "30.2.2"
}
resource "avi_alertscriptconfig" "acme" {
# Contains the script to be run by the certificate management profile; could be the built-in Let's Encrypt one
action_script = file("${path.module}/files/acme-infoblox.py")
name = "acme-infoblox"
}
resource "avi_certificatemanagementprofile" "venafi-infoblox" {
name = "venafi-infoblox"
run_script_ref = avi_alertscriptconfig.acme.id
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "user"
value = "AVI_USER"
}
script_params {
is_dynamic = "false"
is_sensitive = "true"
name = "password"
value = "AVI_PASSWORD"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "dryrun"
value = "False"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "infoblox_username"
value = "INFOBLOX_USER"
}
script_params {
is_dynamic = "false"
is_sensitive = "true"
name = "infoblox_password"
value = "INFOBLOX_PASSWORD"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "infoblox_host"
value = "infoblox.contoso.com"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "infoblox_wapi_version"
value = "2.0"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "infoblox_dns_view"
value = "Internal"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "directory_url"
value = "https://ACMEURL.contoso.com"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "contact"
value = "EMAIL"
}
script_params {
is_dynamic = "false"
is_sensitive = "false"
name = "debug"
value = "false"
}
}
Expected behavior
Terraform should recognize no actual difference if the password values remain the same as previously applied. The state should maintain the resource without forcing an update simply because the fields are treated as sensitive.
Additional context
Environment:
- Terraform v1.8.0
- terraform-provider-avi v30.2.2
- AVI 30.2.2