Idempotency issue with secure_environment_variables inside init_container in azurerm_container_group

[dannystaple]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4.6

AzureRM Provider Version

3.67.0

Affected Resource(s)/Data Source(s)

azurerm_container_group

Terraform Configuration Files

resource "azurerm_container_group" "test" {
  name                = "acctestcontainergroupemptyshared-%d"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  ip_address_type     = "None"
  os_type             = "Linux"
  restart_policy      = "Never"

  init_container {
    name     = "init"
    image    = "busybox"
    commands = ["touch", "/sharedempty/file.txt"]

    volume {
      name       = "logs"
      mount_path = "/sharedempty"
      read_only  = false
      empty_dir  = true
    }
    
    secure_environment_variables = {
      PASSWORD = "something_very_secure"
    }
  }

  container {
    name   = "reader"
    image  = "ubuntu:20.04"
    cpu    = "1"
    memory = "1.5"

    volume {
      name       = "logs"
      mount_path = "/sharedempty"
      read_only  = false
      empty_dir  = true
    }

    commands = ["/bin/bash", "-c", "timeout 30 watch --interval 1 --errexit \"! cat /sharedempty/file.txt\""]
  }
}

Debug Output/Panic Output

test.azurerm_container_group.container_instance must be replaced
...
 ~ init_container {
          ~ commands                     = [] -> (known after apply)
            name                         = "init"
          ~ secure_environment_variables = (sensitive value) # forces replacement
            # (2 unchanged attributes hidden)
}

Expected Behaviour

If the secure environment variable data is the same, it should not replace this resource.

Actual Behaviour

The resource is replaced.

Steps to Reproduce

1. Create a container_group, with an init container, with secure environment variables.
2. Apply
3. Make no changes!
4. Plan again - it will show changes
5. Apply again - it will bounce the container group - all the containers

Important Factoids

No response

References

I followed the chain down through the resource code. In the function flattenContainerEnvironmentVariables on line 1770, the key parameter provided to d.Get assumes the data item to be container.%d.secure_environment_variables.%s.

When flattenContainerEnvironmentVariables is called from the function flattenContainerGroupInitContainers, the d.Get should be looking for keys starting with init_container.%d.secure_environment_variables.%s.

Note also that secure_environment_variables are not tested in init_containers in the tests at:

terraform-provider-azurerm/internal/services/containers/container_group_resource_test.go

Line 2134 in 10ecd75

init_container {

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.