Secret UPDATE not working

[istarkov]

Execute following terraform code

terraform apply --var INFISCAL_TOKEN=$(infisical service-token create --scope='dev:/SETUPTOOLS/**' --access-level=read --access-level=write -e 100 --token-only)

Following configuaration

provider "infisical" {
  alias         = "infiscal"
  host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
  service_token = var.INFISCAL_TOKEN
}

terraform {
  required_providers {
    infisical = {
      # version = <latest version>
      source = "infisical/infisical"
    }

    htpasswd = {
      source = "loafoe/htpasswd"
    }
}

resource "random_password" "password" {
  length = 30
}

resource "random_password" "salt" {
  length = 8
}

resource "htpasswd_password" "hash" {
  password = random_password.password.result
  salt     = random_password.salt.result
}


resource "infisical_secret" "twine_username" {
  provider    = infisical.infiscal
  name        = "TWINE_USERNAME"
  value       = "opti-pypi"
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}


resource "infisical_secret" "twine_password" {
  provider = infisical.infiscal

  name = "TWINE_PASSWORD"

  value       = random_password.password.result
  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}



resource "infisical_secret" "twine_htpasswd" {
  provider = infisical.infiscal

  name  = ".htpasswd"
  value = "${infisical_secret.twine_username.value}:${htpasswd_password.hash.apr1}"

  env_slug    = "dev"
  folder_path = "/SETUPTOOLS/PYPI-SERVER"
}

It works on 1st run without issues.
Now change value = "opti-pypi" to something like value = "opti"

Reapply with same command, and Im getting following errors:

infisical_secret.twine_username: Modifying... [name=TWINE_USERNAME]
╷
│ Error: Error updating secret
│ 
│   with infisical_secret.twine_username,
│   on 30-infisical-pwd.tf line 15, in resource "infisical_secret" "twine_username":
│   15: resource "infisical_secret" "twine_username" {
│ 
│ Couldn't save encrypted secrets to Infiscial, unexpected error: CallUpdateSecretsV3: Unsuccessful response. Please make sure your secret path, workspace and
│ environment name are all correct [response={"type":"bad_request","message":"Missing encrypted
│ key","context":{},"level":30,"level_name":"INFO","status_code":400,"datetime_iso":"2024-01-21T14:45:54.890Z","application":"unknown","extra":[]}]
╵
failed to wait for command termination: exit status 1

[keinsell]

Managed to solve issue, still not sure what was exact cause and if secrets are updating or not but in my case it was lack of wildcard access to directories at service access token.
~ #33 (comment)

[mkosmo]

I'm also running into this and I can't figure out why. I have to drop them, delete them from state, and try again. The service token in use has RW access to /**

[maidul98]

@DanielHougaard can you please talk a look when you have time?

[mkosmo]

If it helps, here are some of the relevant logs from my attempts to change an existing secret. What catches my eye is the response: [response={"statusCode":400,"message":"Secret already exist","error":"BadRequest"}]

Excerpts were just executed now, keys have since been rotated again in case I missed a redaction.

Plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  �[33m~�[0m update in-place�[0m

Terraform will perform the following actions:

�[1m  # infisical_secret.aws_access_key_id_dev�[0m will be updated in-place
�[0m  �[33m~�[0m�[0m resource "infisical_secret" "aws_access_key_id_dev" {
      �[33m~�[0m�[0m last_updated = "Friday, 05-Apr-24 22:21:34 CDT" -> (known after apply)
        name         = "AWS_ACCESS_KEY_ID"
      �[33m~�[0m�[0m value        = "REDACTED" �[33m->�[0m�[0m "REDACTED"
        �[90m# (3 unchanged attributes hidden)�[0m�[0m
    }

�[1mPlan:�[0m 0 to add, 1 to change, 0 to destroy.
�[0m2024-04-09T11:22:45.246-0500 [INFO]  backend/local: apply calling Apply

Apply

�[0m�[1minfisical_secret.aws_access_key_id_dev: Modifying... [name=AWS_ACCESS_KEY_ID]�[0m�[0m
2024-04-09T11:22:46.369-0500 [INFO]  Starting apply for infisical_secret.aws_access_key_id_dev
2024-04-09T11:22:46.369-0500 [DEBUG] infisical_secret.aws_access_key_id_dev: applying the planned Update change
2024-04-09T11:22:46.370-0500 [DEBUG] provider.terraform-provider-infisical_v0.4.0: Calling provider defined Resource Configure: @module=sdk.framework tf_req_id=b18c88af-b139-c23a-0200-d5f93f089cc8 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.3.0/internal/fwserver/server_updateresource.go:55 tf_provider_addr=registry.terraform.io/infisical/infisical tf_resource_type=infisical_secret timestamp=2024-04-09T11:22:46.370-0500
2024-04-09T11:22:46.370-0500 [DEBUG] provider.terraform-provider-infisical_v0.4.0: Called provider defined Resource Configure: tf_provider_addr=registry.terraform.io/infisical/infisical tf_req_id=b18c88af-b139-c23a-0200-d5f93f089cc8 tf_resource_type=infisical_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.3.0/internal/fwserver/server_updateresource.go:57 @module=sdk.framework timestamp=2024-04-09T11:22:46.370-0500
2024-04-09T11:22:46.370-0500 [DEBUG] provider.terraform-provider-infisical_v0.4.0: Calling provider defined Resource Update: @caller=github.com/hashicorp/terraform-plugin-framework@v1.3.0/internal/fwserver/server_updateresource.go:121 @module=sdk.framework tf_provider_addr=registry.terraform.io/infisical/infisical tf_resource_type=infisical_secret tf_rpc=ApplyResourceChange tf_req_id=b18c88af-b139-c23a-0200-d5f93f089cc8 timestamp=2024-04-09T11:22:46.370-0500
2024-04-09T11:22:47.502-0500 [DEBUG] provider.terraform-provider-infisical_v0.4.0: Called provider defined Resource Update: tf_req_id=b18c88af-b139-c23a-0200-d5f93f089cc8 tf_rpc=ApplyResourceChange tf_provider_addr=registry.terraform.io/infisical/infisical tf_resource_type=infisical_secret @caller=github.com/hashicorp/terraform-plugin-framework@v1.3.0/internal/fwserver/server_updateresource.go:123 @module=sdk.framework timestamp=2024-04-09T11:22:47.502-0500
2024-04-09T11:22:47.502-0500 [ERROR] provider.terraform-provider-infisical_v0.4.0: Response contains error diagnostic: diagnostic_summary="Error updating secret" tf_resource_type=infisical_secret tf_proto_version=6.3 diagnostic_detail="Couldn't save encrypted secrets to Infiscial, unexpected error: CallUpdateSecretsV3: Unsuccessful response. Please make sure your secret path, workspace and environment name are all correct [response={"statusCode":400,"message":"Secret already exist","error":"BadRequest"}]" tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov6/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_severity=ERROR tf_provider_addr=registry.terraform.io/infisical/infisical tf_req_id=b18c88af-b139-c23a-0200-d5f93f089cc8 timestamp=2024-04-09T11:22:47.502-0500
2024-04-09T11:22:47.533-0500 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-04-09T11:22:47.533-0500 [ERROR] vertex "infisical_secret.aws_access_key_id_dev" error: Error updating secret
�[33m╷�[0m�[0m
�[33m│�[0m �[0m�[1m�[33mWarning: �[0m�[0m�[1mResource targeting is in effect�[0m
�[33m│�[0m �[0m
�[33m│�[0m �[0m�[0mYou are creating a plan with the -target option, which means that the
�[33m│�[0m �[0mresult of this plan may not represent all of the changes requested by the
�[33m│�[0m �[0mcurrent configuration.
�[33m│�[0m �[0m
�[33m│�[0m �[0mThe -target option is not for routine use, and is provided only for
�[33m│�[0m �[0mexceptional situations such as recovering from errors or mistakes, or when
�[33m│�[0m �[0mTerraform specifically suggests to use it as part of an error message.
�[33m╵�[0m�[0m
�[33m╷�[0m�[0m
�[33m│�[0m �[0m�[1m�[33mWarning: �[0m�[0m�[1mApplied changes may be incomplete�[0m
�[33m│�[0m �[0m
�[33m│�[0m �[0m�[0mThe plan was created with the -target option in effect, so some changes
�[33m│�[0m �[0mrequested in the configuration may have been ignored and the output values
�[33m│�[0m �[0mmay not be fully updated. Run the following command to verify that no other
�[33m│�[0m �[0mchanges are pending:
�[33m│�[0m �[0m    terraform plan
�[33m│�[0m �[0m	
�[33m│�[0m �[0mNote that the -target option is not suitable for routine use, and is
�[33m│�[0m �[0mprovided only for exceptional situations such as recovering from errors or
�[33m│�[0m �[0mmistakes, or when Terraform specifically suggests to use it as part of an
�[33m│�[0m �[0merror message.
�[33m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mError updating secret�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  with infisical_secret.aws_access_key_id_dev,
�[31m│�[0m �[0m  on aws_iam_terraform.tf line 14, in resource "infisical_secret" "aws_access_key_id_dev":
�[31m│�[0m �[0m  14: resource "infisical_secret" "aws_access_key_id_dev" �[4m{�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mCouldn't save encrypted secrets to Infiscial, unexpected error:
�[31m│�[0m �[0mCallUpdateSecretsV3: Unsuccessful response. Please make sure your secret
�[31m│�[0m �[0mpath, workspace and environment name are all correct
�[31m│�[0m �[0m[response={"statusCode":400,"message":"Secret already
�[31m│�[0m �[0mexist","error":"BadRequest"}]
�[31m╵�[0m�[0m