Allways making update in place for specific secrets

[avivsalman]

Hi

i am using the doppler providerm and i have some 2 secrets that every apply making update in place even if something changed..

the value of this secrets are private.key and public.key certs that i read from file, as attached here:

this is very important to me because every change in secrets trigreed kubernetes to restart the deployment..

Thanks :)

[watsonian]

@avivsalman Could you provide some more details around how you're storing the file contents there? It looks like you're assigning it to an intermediate variable of some kind and then maybe passing that in to the value parameter of the doppler_secret resource. Is that right? Are you assigning it to a local?

I've tried reproducing this both using locals and with assigning the results of the file() invocation directly to the value parameter and neither seem to be exhibiting the problem you're seeing. Here's are the two tests I'm using:

terraform {
  required_providers {
    doppler = {
      source = "DopplerHQ/doppler"
    }
  }
}

variable "doppler_token" {
  type        = string
  description = "A token to authenticate with Doppler"
}

provider "doppler" {
  doppler_token = var.doppler_token
}

locals {
  TF_FILE_FUNCTION_TEST_PRIVATE_KEY = file("${path.module}/id_tftest")
  TF_FILE_FUNCTION_TEST_PUBLIC_KEY  = file("${path.module}/id_tftest.pub")
}

resource "doppler_secret" "test_privkey" {
  project = "example"
  config  = "dev"
  name    = "TF_FILE_FUNCTION_TEST_PRIVATE_KEY"
  value   = local.TF_FILE_FUNCTION_TEST_PRIVATE_KEY
}

resource "doppler_secret" "test_pubkey" {
  project = "example"
  config  = "dev"
  name    = "TF_FILE_FUNCTION_TEST_PUBLIC_KEY"
  value   = local.TF_FILE_FUNCTION_TEST_PUBLIC_KEY
}

terraform {
  required_providers {
    doppler = {
      source = "DopplerHQ/doppler"
    }
  }
}

variable "doppler_token" {
  type        = string
  description = "A token to authenticate with Doppler"
}

provider "doppler" {
  doppler_token = var.doppler_token
}

resource "doppler_secret" "test_privkey" {
  project = "example"
  config  = "dev"
  name    = "TF_FILE_FUNCTION_TEST_PRIVATE_KEY"
  value   = file("${path.module}/id_tftest")
}

resource "doppler_secret" "test_pubkey" {
  project = "example"
  config  = "dev"
  name    = "TF_FILE_FUNCTION_TEST_PUBLIC_KEY"
  value   = file("${path.module}/id_tftest.pub")
}

Could you confirm that the value in Doppler hasn't changed? As an example, I went into Doppler after running the above and noted that there was a trailing newline in the value (i.e., the whole key was on line 1 and then there was a blank line 2). If I remove the blank line and save, then run terraform plan again, I see the same message you saw there.

[avivsalman]

@watsonian thank you for your answer, i can confirm that nothing changed in doppler side, because we only edit from terraform.

i does it the same your are doing it in example 1, but i got an error, i can ensure that the problem is not in the way i handle it, because this 2 secrets are part of a lot of secrets, its happend only in this 2 secrets, the problem has to be connected to this specifig value, maybe because its from file, maybe the content are certificate string..

what else information i can share with you to solve this problem?

locals {
    main_secrets = {
        dev = {
            PRIVATE_KEY = file("../${path.module}/assets/secrets/oauth-private.key")
            PUBLIC_KEY = file("../${path.module}/assets/secrets/oauth-public.key")
        }
    }
}

resource "doppler_secret" "main_secrets_dev" {
    depends_on = [doppler_environment.main_environment_dev]

    for_each = { for k, x in local.main_secrets.dev: k => x }

    project     = doppler_project.main.name
    config      = "dev"
    name        = each.key
    value       = each.value
}

[watsonian]

Okay, I tried reproducing what you're doing more exactly and am still not seeing this issue:

terraform {
  required_providers {
    doppler = {
      source = "DopplerHQ/doppler"
    }
  }
}

variable "doppler_token" {
  type        = string
  description = "A token to authenticate with Doppler"
}

provider "doppler" {
  doppler_token = var.doppler_token
}

locals {
  main_secrets = {
    dev = {
      PRIVATE_KEY = file("../${path.module}/id_tftest")
      PUBLIC_KEY  = file("../${path.module}/id_tftest.pub")
    }
  }
}

resource "doppler_secret" "main_secrets_dev" {
  for_each = { for k, x in local.main_secrets.dev : k => x }

  project = "example"
  config  = "dev"
  name    = each.key
  value   = each.value
}

This is pretty bizarre. Would it be possible to delete those two secrets temporarily from your TF script, perform a terraform run to delete them in Doppler (double-check to make sure they're gone after this), then add them back in and run again so they're created again? If the problem continues persisting then, it has to be some nuance with the actual file contents. In that situation, could you open a support ticket at https://support.doppler.com and then we can continue investigating the problem there.

[avivsalman]

@watsonian thanks for trying helping me..

i found the solution after debuging the terraform output, i always send the certitificate with CRLF and doppler store it only with LF, so i changed the files to LF only and its worked.

Thanks :)