Closed
Description
Describe the bug
Changing value of role_descriptors forces api key replacement.
Editing api key roles via kibana doesn't change the api key value.
To Reproduce
- Create api key with some role descriptor
resource "elasticstack_elasticsearch_security_api_key" "test" {
name = "test"
role_descriptors = jsonencode({
read_only = {
indices = [
{
names = ["*"],
privileges = ["read", "view_index_metadata"]
allow_restricted_indices = false
}
]
}
})
}-
terraform apply -
Change this role to anything else, I removed
view_index_metadatain the following example
resource "elasticstack_elasticsearch_security_api_key" "test" {
name = "test"
role_descriptors = jsonencode({
read_only = {
indices = [
{
names = ["*"],
privileges = ["read"]
allow_restricted_indices = false
}
]
}
})
}terraform applywill show "forces replacement"
Terraform will perform the following actions:
# elasticstack_elasticsearch_security_api_key.test must be replaced
-/+ resource "elasticstack_elasticsearch_security_api_key" "test" {
~ api_key = (sensitive value)
~ encoded = (sensitive value)
~ expiration_timestamp = 0 -> (known after apply)
~ id = "BqFsxqFzRn--CUY9V3wk7w/FlCVI5IBVbU1E1HFWlqk" -> (known after apply)
~ metadata = jsonencode({}) -> (known after apply)
name = "test"
~ role_descriptors = jsonencode(
~ {
~ read_only = {
~ indices = [
~ {
~ privileges = [
"read",
- "view_index_metadata",
]
# (2 unchanged attributes hidden)
},
]
}
} # forces replacement
)
# (1 unchanged attribute hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
Expected behavior
I expect terraform module to only update role descriptor the same way as kibana does.
Debug output
N/A
Screenshots
N/A
Versions (please complete the following information):
- OS: macos 15
- terraform 1.8.0
- provider registry.terraform.io/elastic/elasticstack v0.11.7
- elasticsearch 8.14.3
Additional context
N/A