Skip to content

Commit 5f51eed

Browse files
andreaangiolilloandreaangiolillo
authored
fix: Encryption at rest return inconsistent plan when setting secret access key (#1529)
1 parent b581d84 commit 5f51eed

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

mongodbatlas/fw_resource_mongodbatlas_encryption_at_rest.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,6 @@ import (
99
"reflect"
1010
"time"
1111

12-
matlas "go.mongodb.org/atlas/mongodbatlas"
13-
1412
"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
1513
"github.com/hashicorp/terraform-plugin-framework/path"
1614
"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -21,10 +19,10 @@ import (
2119
"github.com/hashicorp/terraform-plugin-framework/schema/validator"
2220
"github.com/hashicorp/terraform-plugin-framework/types"
2321
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
24-
2522
"github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/framework/conversion"
2623
retrystrategy "github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/framework/retry"
2724
validators "github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/framework/validator"
25+
matlas "go.mongodb.org/atlas/mongodbatlas"
2826
)
2927

3028
const (
@@ -431,20 +429,23 @@ func handleGcpKmsConfig(ctx context.Context, earRSCurrent, earRSNew, earRSConfig
431429
}
432430
}
433431

434-
func handleAwsKmsConfigDefaults(ctx context.Context, earRSCurrent, earRSNew, earRSConfig *tfEncryptionAtRestRSModel) {
432+
func handleAwsKmsConfigDefaults(ctx context.Context, currentStateFile, newStateFile, earRSConfig *tfEncryptionAtRestRSModel) {
435433
// this is required to avoid unnecessary change detection during plan after migration to Plugin Framework if user didn't set this block
436-
if earRSCurrent.AwsKmsConfig == nil {
437-
earRSNew.AwsKmsConfig = []tfAwsKmsConfigModel{}
434+
if currentStateFile.AwsKmsConfig == nil {
435+
newStateFile.AwsKmsConfig = []tfAwsKmsConfigModel{}
438436
return
439437
}
440438

441439
// handling sensitive values that are not returned in the API response, so we sync them from the config
442440
// that user provided. encryptionAtRestRSConfig is nil during Read(), so we use the current plan
443441
if earRSConfig != nil && len(earRSConfig.AwsKmsConfig) > 0 {
444-
earRSNew.AwsKmsConfig[0].Region = earRSConfig.AwsKmsConfig[0].Region
442+
newStateFile.AwsKmsConfig[0].Region = earRSConfig.AwsKmsConfig[0].Region
445443
} else {
446-
earRSNew.AwsKmsConfig[0].Region = earRSCurrent.AwsKmsConfig[0].Region
444+
newStateFile.AwsKmsConfig[0].Region = currentStateFile.AwsKmsConfig[0].Region
447445
}
446+
447+
// Secret access key is not returned by the API response
448+
newStateFile.AwsKmsConfig[0].SecretAccessKey = currentStateFile.AwsKmsConfig[0].SecretAccessKey
448449
}
449450

450451
func handleAzureKeyVaultConfigDefaults(ctx context.Context, earRSCurrent, earRSNew, earRSConfig *tfEncryptionAtRestRSModel) {

0 commit comments

Comments
 (0)