[Bug] 0.11.10 forces api key replacement due to whitespaces

[Davasny]

Describe the bug
After upgrading provider from 0.11.8 to 0.11.10 it want to replace api key due to whitespace changes. Api key role_descriptors are not changed

To Reproduce

1. Create api key with 0.11.8
2. Upgrade provider to 0.11.10
3. Run plan

  # elasticstack_elasticsearch_security_api_key.telegraf must be replaced
-/+ resource "elasticstack_elasticsearch_security_api_key" "telegraf" {
      ~ api_key              = (sensitive value)
      ~ encoded              = (sensitive value)
      ~ expiration_timestamp = 0 -> (known after apply)
      ~ id                   = "25opFie5T1qs3JS9dz9YFA/daCobZIBlhlmOGXYaM3k" -> (known after apply)
      ~ key_id               = "daCobZIBlhlmOGXYaM3k" -> (known after apply)
      ~ metadata             = jsonencode({}) -> (known after apply)
        name                 = "telegraf"
      ~ role_descriptors     = jsonencode( # whitespace changes
            {
                telegraf = {
                    cluster = [
                        "monitor",
                        "cluster:admin/snapshot/status",
                        "cluster:admin/repository/get",
                        "manage_slm",
                    ]
                    indices = [
                        {
                            allow_restricted_indices = true
                            names                    = [
                                "*",
                            ]
                            privileges               = [
                                "monitor",
                                "view_index_metadata",
                            ]
                        },
                    ]
                }
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Expected behavior
Whitespaces shouldn't force api key replacement

Debug output
N/A

Screenshots
N/A

Versions (please complete the following information):

• OS: macos 15
• terraform 1.8.0
• provider registry.terraform.io/elastic/elasticstack v0.11.10
• elasticsearch 8.14.3 on elastic.co

Additional context
N/A

[flaper87]

Hi folks! FWIW, we just had multiple production incidents due to this. All tokens were rotated. which caused several services to fail.

There's a lot to say about what we can do internally to prevent this from happening in the future but figured I'd share that this has a wide spread impact and may be worth communicating.

I'd probably avoid a rollback of whatever caused this but definitely make the provider resilient to whitespace changes. We will now make 0.11.10 the minimum required version for us.

[tobio]

Ah, this bug sucks. Sorry folks.

For clarity, changes to role_descriptors aren't causing resource replacement here. This resource was migrated from the old Terraform SDK to the newer Plugin Framework in 0.11.10. The SDK stored unset attributes as in state as their default values, specifically expiration:"". The Plugin Framework correctly models this as expiration:null, however this was causing TF to force replacement of the API Key resource, since "" != null

#875 fixes this behaviour, only requiring replacement if the expiration values actually change (e.g 1d -> 1h).