ignore_changes with an impure function with sensitive arguments cause change in plan

[thllxb]

Terraform Version

Terraform v1.0.1
on linux_amd64

Terraform Configuration Files

resource "random_password" "test" {
  length = 16
}

resource "random_string" "test" {
  length = 16
}

resource "kubernetes_secret" "test1" {
  metadata {
    name      = "change-test1"
    namespace = "default"
  }
  data = {
    string = sha1(random_password.test.result)
  }
  lifecycle {
    ignore_changes = [data]
  }
}

resource "kubernetes_secret" "test2" {
  metadata {
    name      = "change-test2"
    namespace = "default"
  }
  data = {
    string = bcrypt(timestamp())
  }
  lifecycle {
    ignore_changes = [data]
  }
}

resource "kubernetes_secret" "test3" {
  metadata {
    name      = "change-test3"
    namespace = "default"
  }
  data = {
    string = bcrypt(random_password.test.result)
  }
  lifecycle {
    ignore_changes = [data]
  }
}

resource "kubernetes_secret" "test4" {
  metadata {
    name      = "change-test4"
    namespace = "default"
  }
  data = {
    string = "password:${bcrypt(random_password.test.result)}"
  }
  lifecycle {
    ignore_changes = [data]
  }
}

resource "kubernetes_secret" "test5" {
  metadata {
    name      = "change-test5"
    namespace = "default"
  }
  data = {
    string = "string:${bcrypt(random_string.test.result)}"
  }
  lifecycle {
    ignore_changes = [data]
  }
}

Debug Output

https://gist.github.com/thllxb/22ef5ccd9547a08bb40ee8acce667e07

Crash Output

Expected Behavior

terraform plan/apply shows no item to change.

Actual Behavior

terraform attempts to change the k8s secret data

# terraform apply -auto-approve

kubernetes_secret.test2: Refreshing state... [id=default/change-test2]
random_password.test: Refreshing state... [id=none]
random_string.test: Refreshing state... [id=&z-%6#R:)[FvC[}z]
kubernetes_secret.test1: Refreshing state... [id=default/change-test1]
kubernetes_secret.test4: Refreshing state... [id=default/change-test4]
kubernetes_secret.test3: Refreshing state... [id=default/change-test3]
kubernetes_secret.test5: Refreshing state... [id=default/change-test5]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # kubernetes_secret.test4 will be updated in-place
  ~ resource "kubernetes_secret" "test4" {
      ~ data = (sensitive value)
        id   = "default/change-test4"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Steps to Reproduce

1. terraform init
2. terraform apply
3. terraform plan/apply

Additional Context

# terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/kubernetes...
- Finding latest version of hashicorp/random...
- Installing hashicorp/kubernetes v2.3.2...
- Installed hashicorp/kubernetes v2.3.2 (signed by HashiCorp)
- Installing hashicorp/random v3.1.0...
- Installed hashicorp/random v3.1.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

References

[jbardin]

Thanks @thllxb,

Here is a simpler example which reproduces the issue for debugging:

variable "pw" {
  sensitive = true
  default = "foo"
}

resource "null_resource" "a" {
  triggers = {
    string = "password:${bcrypt(var.pw)}"
  }
  lifecycle {
    ignore_changes = [triggers]
  }
}