The tfe_variable_set doesn't update when parent_project_id attribute is removed. #1896
Description
Terraform Enterprise version
Not using Terraform Enterprise. This is against HCP Terraform (app.terraform.io).
Terraform version
Terraform v1.11.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/tfe v0.68.2
Terraform Configuration Files
variable "organization" {
description = "The organization that will own the variable set. Required if 'project_id' is not set."
type = string
default = "my-org"
}
variable "token" {
description = "The TFE API token to use."
type = string
}
terraform {
required_version = "~>1.9"
required_providers {
tfe = {
source = "hashicorp/tfe"
version = "~>0.68.0"
}
}
}
provider "tfe" {
token = var.token
organization = var.organization
}
# A simple project to demonstrate project-owned variable sets
resource "tfe_project" "one" {
name = "project-one"
}
# -------------------------------
# STAGE A: Organization-owned varset (no parent_project_id)
# -------------------------------
# Apply with this block to create an org-owned variable set.
# Then move to STAGE B below.
resource "tfe_variable_set" "one_var_a" {
name = "one_var_a"
description = "This is a variable set for project-one."
organization = var.organization
}
# -------------------------------
# STAGE B: Project-owned varset (add parent_project_id)
# -------------------------------
# Replace the block above with the block below and apply again to
# confirm the org-owned set is replaced with a project-owned set.
# (This part works as expected.)
#
#resource "tfe_variable_set" "one_var_a" {
# name = "one_var_a"
# description = "This is a variable set for project-one."
# organization = var.organization
# parent_project_id = tfe_project.one.id
#}
Debug Output
I have not included any - if this demands that level of rigor, I can attach it to this issue.
Expected Behavior
When removing parent_project_id from tfe_variable_set, the provider should plan to replace the existing project-owned variable set with an organization-owned variable set (mirroring the behavior observed when adding parent_project_id, which replaces an org-owned set with a project-owned one).
Actual Behavior
After removing the parent_project_id attribute from the resource and running either terraform plan or terraform apply, Terraform reports “No changes”. The existing project-owned variable set remains; it is not replaced by an organization-owned variable set.
Steps to Reproduce
- Apply Stage A (resource has no
parent_project_id). Result: an org-owned variable set is created. - Switch to Stage B (add
parent_project_id = tfe_project.demo.id). Apply. Result: the org-owned set is replaced with a project-owned set — works as expected. - Revert back to Stage A (remove
parent_project_id). Plan/apply. Result: No changes are detected; the variable set remains project-owned — unexpected.
Additional Context
- Running plans/applies from HCP Terraform (no wrapper; standard remote runs).
- Credentialing via
TFE_TOKEN. - I have not yet tested v0.70.0 of the provider; if maintainers believe this was addressed recently, I can attempt to reproduce on that version as well. (I didn’t find an entry in the release notes specific to
tfe_variable_setownership changes.) ([GitHub][1])
Important Notes
- Provider version used in repro: tfe v0.68.2. (This attribute was introduced in v0.62.0. I don’t see a changelog entry indicating behavior changes for
parent_project_idsince then.) ([GitHub][1]) - Resource docs (for the
tfe_variable_setresource and the “parent” relationship in the Varsets API) indicate variable sets can be owned either by an organization or a project; switching owners should be possible. ([HashiCorp Developer][2])