Skip to content

[BUG] No data change recognition in ovh_okms_secret #1147

New issue
New issue
Open
#1162
Open
[BUG] No data change recognition in ovh_okms_secret#1147
#1162
@drademacher-senacor

Description

@drademacher-senacor
drademacher-senacor
opened on Nov 7, 2025

Describe the bug

There is a synchronization issue between the secret resource and terraform. In most resources (e.g. storage) some changed values in UI side will be recongnized and correctly shown.

My use case is following:
Create a secret resource with default values in terraform and manually fill in the real secret value as a person. That way there is no secret in the code. In my example is no prevention of changes to the secret data by adding a lifecycle rule.

But in any case I would like to get the real value from my terraform provider. I found a tedious workaround, but that is unintuitive and is a lot of unncessary extra code.

Terraform Version

Terraform v1.13.4
on darwin_arm64

provider registry.terraform.io/ovh/ovh v2.9.0

Affected Resource(s)

Please list the resources as a list, for example:

  • ovh_okms_secret

Terraform Configuration Files

resource "ovh_okms_secret" "my_credentials" {
  okms_id = var.ovh_secret_manager
  path    = "my_credentials"

  version = {
    data = jsonencode({
      password = "MyPassword"
    })
  }
}

# resource does not contain actual values from secret store
data "ovh_okms_secret" "my_credentials" {
  okms_id      = var.ovh_secret_manager
  path         = ovh_okms_secret.my_credentials.path
  include_data = true
}

output "my_buggy_credentials" {
  value     = ovh_okms_secret.my_credentials.version.data
  sensitive = true
}

output "my_real_credentials" {
  value     = data.ovh_okms_secret.my_credentials.data
  sensitive = true
}

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. Go to secret manager and change the password to a new value
  3. terraform apply again
  4. terraform output my_buggy_credentials
  5. terraform output my_real_credentials

Debug Output

For step 4

"{\"password\":\"MyPassword\"}"

For step 5

"{\"password\":\"MyChangedPassword\"}"

Expected Behavior

  1. Terraform should have actually recognized that the resource is not correct and changed the value back to my password.
  2. Terraform should not yield different values for the same entity. Resource and data should be equal.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions