[Bug]PVSStreaming Machine Catalog: "inconsistent values for sensitive attribute" error on machine_domain_identityΒ #321
Description
Issue Body
<!-- Thanks for taking the time to fill out this bug report! Before submitting this issue please check the [open bugs](https://github.com/citrix/terraform-provider-citrix/issues?q=is%3Aissue+is%3Aopen+label%3Abug) to ensure the bug has not already been reported. If it has been reported give it a π -->
## Describe the bug
When creating a PVS Machine Catalog with `provisioning_type = "PVSStreaming"` and `machine_domain_identity` using `service_account_id`, the provider fails after successful resource creation in Citrix Cloud with an inconsistent state error.
**Terraform command (import, apply, etc):** `terraform apply`
**Resource impacted:** `citrix_machine_catalog` with `provisioning_type = "PVSStreaming"`
**Issue reproducible outside of Terraform:** No - The Machine Catalog is created successfully in Citrix Cloud. The error occurs only in Terraform's state comparison.
### Expected Behavior
Creating a PVS Machine Catalog with `machine_domain_identity` using `service_account_id` should succeed and the state should be consistent.
### Actual Behavior
After ~11 minutes of resource creation (resource is created successfully in Citrix Cloud), Terraform fails with:
Error: Provider produced inconsistent result after apply
When applying changes to citrix_machine_catalog.pvs_mtsession,
provider "provider["registry.terraform.io/citrix/citrix"]" produced an
unexpected new value: .provisioning_scheme: inconsistent values for
sensitive attribute.
This is a bug in the provider, which should be reported in the provider's
own issue tracker.
## Versions
**Terraform:** 1.10.2
**citrix/citrix provider:** 1.0.30
**Operation system:** macOS Darwin 24.6.0
**Environment type:** Cloud (Citrix DaaS)
**Hypervisor type (if applicable):** Azure
## Terraform configuration files
```hcl
resource "citrix_machine_catalog" "pvs_mtsession" {
name = "YOURPREFIX-PVS-MC-001"
description = "PVS Multi-Session Machine Catalog - Terraform managed"
zone = data.citrix_zone.main.id
allocation_type = "Random"
session_support = "MultiSession"
provisioning_type = "PVSStreaming"
minimum_functional_level = "L7_25"
persist_user_changes = "Discard"
machine_catalog_folder_path = "YourFolder"
provisioning_scheme {
hypervisor = module.hypervisor.id
hypervisor_resource_pool = module.hypervisor.resource_pool_id
identity_type = "ActiveDirectory"
machine_domain_identity = {
domain = "contoso.local"
domain_ou = "OU=PVS,OU=Computers,DC=contoso,DC=local"
service_account_id = citrix_service_account.sa.id
}
machine_account_creation_rules = {
naming_scheme = "pvs###"
naming_scheme_type = "Numeric"
}
number_of_total_machines = 1
azure_machine_config {
service_offering = "Standard_B2ms"
storage_type = "Standard_LRS"
use_managed_disks = true
machine_profile = {
machine_profile_resource_group = "rg-your-resourcegroup-001"
machine_profile_vm_name = "yourprofilevm001"
}
azure_pvs_config = {
pvs_site_id = data.citrix_pvs.config.pvs_site_id
pvs_vdisk_id = data.citrix_pvs.config.pvs_vdisk_id
}
writeback_cache = {
wbc_disk_storage_type = "Standard_LRS"
persist_wbc = true
persist_os_disk = false
persist_vm = false
writeback_cache_disk_size_gb = 20
writeback_cache_memory_size_mb = 256
}
}
}
}
Terraform console output
citrix_machine_catalog.pvs_mtsession: Creating...
citrix_machine_catalog.pvs_mtsession: Still creating... [11m21s elapsed]
β·
β Error: Provider produced inconsistent result after apply
β
β When applying changes to
β citrix_machine_catalog.pvs_mtsession,
β provider "provider[\"registry.terraform.io/citrix/citrix\"]" produced an
β unexpected new value: .provisioning_scheme: inconsistent values for
β sensitive attribute.
β
β This is a bug in the provider, which should be reported in the provider's
β own issue tracker.
β΅
Root Cause Analysis
The provider appears to return a different object structure for machine_domain_identity after the Create operation than what was configured. This is likely related to how sensitive attributes are handled in the Read function for PVSStreaming catalogs.
Important observations:
- MCS Machine Catalogs (
provisioning_type = "MCS") with the samemachine_domain_identitystructure work correctly - The resource IS created successfully in Citrix Cloud - the error only occurs in Terraform's state comparison
- Similar issue was reported in Deploying full Entra ID (AAD) catalog in DAASΒ #47 for Azure AD scenarios and fixed in v0.5.3/v0.5.5, but PVSStreaming appears to have a separate code path that wasn't addressed
Workaround
After the error, the resource exists in Citrix Cloud but Terraform marks it as tainted. Current workaround:
- Remove from state:
terraform state rm 'citrix_machine_catalog.pvs_mtsession' - Import the existing resource or delete from Citrix Cloud and recreate
Related Issues
- Deploying full Entra ID (AAD) catalog in DAASΒ #47 (Azure AD Catalog deployment - similar sensitive attribute issue)
Environment Details
- Azure Cloud
- Citrix DaaS (Cloud)
- PVS Site: Configured and operational
- Service Account: Created via
citrix_service_accountresource