azurerm_iothub file_upload block always reports changing connection string

[kensykora]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.75.0
+ provider registry.terraform.io/hashicorp/null v3.1.0

Affected Resource(s)

• azurerm_iothub

Terraform Configuration Files

data "azurerm_storage_account" "boxmedia" {
  name                = "mymedia01"
  resource_group_name = zurerm_resource_group.main.name
}

resource "azurerm_iothub" "iot-hub" {
  name                = "myhub"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location

  file_upload {
    connection_string = data.azurerm_storage_account.media.primary_connection_string
    container_name    = "uploads"
  }


  sku {
    name     = "S1"
    capacity = "1"
  }
}

Expected Behaviour

When setting the file_upload block of an azurerm_iothub resource, I expect that the connection_string property will only be flagged to change upon modification of the connection string value.

Actual Behaviour

However, the connection_string is always flagged for modification. This seems to be because the state file stores the connection string without the account key. This seems like it is an error, because the state file is known to store sensitive values, including connection strings and access keys.

Example of the state file:

{
    "mode": "managed",
    "type": "azurerm_iothub",
    "name": "myhub",
    "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
    "instances": [
        {
            "schema_version": 0,
            "attributes": {
                /* ...other attributes... */
                "file_upload": [
                    {
                        "connection_string": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=mystorage;AccountKey=****", /* Note the AccountKey=**** is literal, not modified for this issue */
                        "container_name": "uploads",
                        "default_ttl": "PT1H",
                        "lock_duration": "PT1M",
                        "max_delivery_count": 10,
                        "notifications": false,
                        "sas_ttl": "PT1M"
                    }
                ],
                "hostname": "myhub.azure-devices.net",
                /* ...other attributes... */
            },
            "sensitive_attributes": [],
            "private": "removed for github",
            "dependencies": []
        }
    ]
}

Note that the AccountKey=**** is literally taken from the state file, and not modified to protect the key for reporting this github issue. Because the AccountKey is stored in state as a literal value of ****, the modification always occurs.

This operation, while unnecessary, is benign, but always gives me heart palpitations nonetheless when I see it perform effectively a no-op on my iot hub which services thousands of devices in production.

Steps to Reproduce

1. Create an azurerm_storage_account
2. Create an azurerm_iothub resource, and set the file_upload block to reference the azurerm_storage_account
3. terraform apply
4. terraform apply again

Expected: 2nd apply will have no changes
Actual: Apply wants to change the connection string

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.