Description
Your environment
Terraform Provider Version:
Terraform v1.12.2
on linux_amd64
- provider registry.terraform.io/1password/onepassword v2.1.2
- provider registry.terraform.io/hashicorp/azurerm v4.32.0
Connect Server Version: N/A
CLI Version: 2.31.1
OS: WSL Ubuntu 22.04.5 LTS
Terraform Version: v1.12.2
What happened?
Error: Provider produced inconsistent result after apply
Item is created but marked as tainted, requiring recreation on each subsequent apply.
What did you expect to happen?
No error.
Steps to reproduce
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
onepassword = {
source = "1Password/onepassword"
}
}
}
provider "azurerm" {
subscription_id = var.subscription_id
features {}
}
provider "onepassword" {
service_account_token = "<my-token>"
}
resource "azurerm_resource_group" "rg_email_manager" {
location = var.location
name = "rg-${var.common_name}-${var.environment}"
}
resource "onepassword_item" "email_manager_secrets" {
vault = "<my-vault-id>" # Can be either Vault's name or UUID
title = "${var.common_name}-${var.environment}"
category = "secure_note"
note_value = "<some-text-here>"
tags = ["email", "email-manager", "manager"]
section {
label = "" # Top-level field (no section)
field {
label = "resource_group"
value = azurerm_resource_group.rg_email_manager.name
type = "STRING"
}
}
}Notes & Logs
Even if there are no changes to Terraform configuration files I'm getting this Error:
Plan: 1 to add, 0 to change, 1 to destroy.
onepassword_item.email_manager_secrets: Destroying... [id=vaults/2mylsgednbhstihecp3abaqpna/items/ncz5mvfjughs4oswjjpk672tmq]
onepassword_item.email_manager_secrets: Destruction complete after 2s
onepassword_item.email_manager_secrets: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to onepassword_item.email_manager_secrets, provider "provider[\"registry.terraform.io/1password/onepassword\"]" produced an unexpected new value: .section[0].label: was cty.StringVal(""), but now null.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
Releasing state lock. This may take a few moments...And so now every time an item gets deleted and created again and this is flooding my "Recently deleted" section with unuseful items.
End Goal
I got to this point in my efforts to put a field in the default (a.k.a. "top-level") section, or no section at all. Unfortunately I wasn't able to do it with omitting the section {} block as it's required. If I skipped the section block and put the field block instead I'm getting this error:
╷
│ Error: Unsupported block type
│
│ on one-password.tf line 9, in resource "onepassword_item" "email_manager_secrets":
│ 9: field {
│
│ Blocks of type "field" are not expected here.
╵After that I tried with label = null as shown below:
section {
label = null
field {
label = "resource_group"
value = azurerm_resource_group.rg_email_manager.name
type = "STRING"
}but this got me an error and didn't ran the apply either:
╷
│ Error: Missing Configuration for Required Attribute
│
│ with onepassword_item.email_manager_secrets,
│ on one-password.tf line 10, in resource "onepassword_item" "email_manager_secrets":
│ 10: label = null # Top-level field (no section)
│
│ Must set a configuration value for the section[0].label attribute as the provider has marked it as required.
│
│ Refer to the provider documentation or contact the provider developers for additional information about configurable attributes that are required.
╵So that's how I ended up using label = "" in order to put this resource_group field "outside any section". It's not ideal, but at least works and lets me run apply. The annoying thing is that it's constantly destroying it and creating it as new.
Solution
I'm not an expert, but in my humble opinion I think the best solution would be to allow null value to be set to the section[0].label attribute. The second best would be to allow an empty string (as I did) label = "" to stay empty and not convert it to null, but the decision is entirely yours.