Terraform update on a secret fails

[Lp-Francois]

Hey 👋

It seems like the provider isn't able to fetch info about a secret when I want to change a secret.

Error: One or more secret fields are restricted: [raw computed]. You must use a service account or service token to manage these resources. Otherwise, Terraform cannot fetch these restricted secrets to check the validity of their state.

  with module.my-module.doppler_secret.secret_entry_prod,
  on ../../modules/service/doppler.tf line 26, in resource "doppler_secret" "secret_entry_prod":
  26: resource "doppler_secret" "secret_entry_prod" ***

For some context, I am importing manually created doppler project, configs and secrets in Terraform, and I replace a secret during the import.

Related issue: pulumiverse/pulumi-doppler#15

[watsonian]

Hi @Lp-Francois! Could you confirm whether or not the config the secret is going into contains any secrets with the restricted visibility type? Also, are you using an service token or service account token to perform the TF run? Or are you using a CLI/Personal token?

[Lp-Francois]

Hey @watsonian 👋
The secret can be seen from my user, so it is not restricted.
Another secret in the config has a visibility restricted but it is not the one I am trying to change.

And to run TF, I use a Service account token.

[a-nldisr]

We have the same issue in one of our environments, traced back why this happened

• issue occurs also when I run the terraform plan with a personal access token that has admin capabilities
• Secret is not restricted
• saw this message: Note: Objects have changed outside of Terraform.
• Checked the audit logs for the secret and found out that one of the 2 secrets we create for the database (the user and the password) through terraform was removed by the terraform provider. However the codebase showed that secret should still be there. After checking with the person that made the change we decided that the secret should actually be there. We rolled back the removal of the secret by the interface.
• Rolling back the secret removal fixed the issue.

It seems there was an event where the terraform provider made a change to Doppler and did not store it in the terraform state, we store this state on S3 so i really am not sure how this could even happen.
Issue was resolved for us by rolling back.

[a-nldisr]

Another thing to note: Found more issues on github describing this by other repo's:
pulumiverse/pulumi-doppler#15

[watsonian]

Unfortunately, I wasn't able to reproduce this behavior at all unless I was specifically attempting to import a secret with restricted visibility. @Lp-Francois Could you please describe the exact steps you're taking (i.e., service account permissions on the project in question, which resources you're importing into TF, the exact commands you're running to do the imports, and the relevant plan output you're seeing before hitting this error)? Could you also attempt to reproduce this on a test Doppler project in a config that only has the secret you're trying to manage in Terraform? Finally, it looks like you're using a custom module. Are you able to share the relevant portion that's doing this so I can see what else it's doing more broadly?

I setup a very simple reproduction case with a project named test and a secret named TEST inside the dev config. I then setup a barebones TF script that looks like the following:

terraform {
  required_providers {
    doppler = {
      source = "DopplerHQ/doppler"
    }
  }
}

variable "doppler_token" {
  type        = string
}

provider "doppler" {
  doppler_token = var.doppler_token
}

resource "doppler_project" "test" {
  name = "test"
}

resource "doppler_environment" "dev" {
  project = doppler_project.test.name
  name    = "Development"
  slug    = "dev"
}

resource "doppler_secret" "test" {
  project = doppler_project.test.name
  config  = doppler_environment.dev.slug
  name    = "TEST"
  value   = "1234567890"
}

I then ran the following commands to import the relevant resources:

TF_VAR_doppler_token=$DOPPLER_TOKEN terraform import doppler_project.test test
TF_VAR_doppler_token=$DOPPLER_TOKEN terraform import doppler_environment.dev test.dev
TF_VAR_doppler_token=$DOPPLER_TOKEN terraform import doppler_secret.test test.dev.TEST

At that point, I performed a terraform apply and it proceeded to update the secret:

❯ TF_VAR_doppler_token=$DOPPLER_TOKEN terraform import doppler_secret.test test.dev.TEST
doppler_secret.test: Importing from ID "test.dev.TEST"...
doppler_secret.test: Import prepared!
  Prepared doppler_secret for import
doppler_secret.test: Refreshing state... [id=test.dev.TEST]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

~/dev/terraform/gh115
❯ TF_VAR_doppler_token=$DOPPLER_TOKEN terraform apply
doppler_project.test: Refreshing state... [id=test]
doppler_environment.dev: Refreshing state... [id=test.dev]
doppler_secret.test: Refreshing state... [id=test.dev.TEST]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # doppler_secret.test will be updated in-place
  ~ resource "doppler_secret" "test" {
      ~ computed   = (sensitive value)
        id         = "test.dev.TEST"
        name       = "TEST"
      ~ value      = (sensitive value)
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

doppler_secret.test: Modifying... [id=test.dev.TEST]
doppler_secret.test: Modifications complete after 2s [id=test.dev.TEST]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

This worked if I didn't import the secret first too:

❯ TF_VAR_doppler_token=$DOPPLER_TOKEN terraform apply
doppler_project.test: Refreshing state... [id=test]
doppler_environment.dev: Refreshing state... [id=test.dev]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # doppler_secret.test will be created
  + resource "doppler_secret" "test" {
      + computed   = (sensitive value)
      + config     = "dev"
      + id         = (known after apply)
      + name       = "TEST"
      + project    = "test"
      + value      = (sensitive value)
      + visibility = "masked"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

doppler_secret.test: Creating...
doppler_secret.test: Creation complete after 2s [id=test.dev.TEST]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[Lp-Francois]

Hey @watsonian It is really weird,

I got the error, and to fix it I tried to delete the secret entry in doppler. The error still remained.
Then today I manually added the entry again on doppler, and it seems like the apply succeeds now.

Also, I don't use "Restricted" entries on the project I was terraforming... 🤔

If it happens again, I will report here a complete bug report (with TF outputs, etc)