secret_text_bindings on cloudflare_worker_script are not removed from the worker

[ecclesm]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.4.5
on darwin_arm64

cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.3.0"
}

Affected resource(s)

• cloudflare_worker_script (secret_text_bindings)

Terraform configuration files

FIRST RUN

resource "cloudflare_worker_script" "helloworld" {
  account_id = var.cloudflare_account_id
  name       = "${var.environment}-helloworld"
  content    = file("functions/helloworld/index.js")
  compatibility_date = "2023-03-27"

  plain_text_binding {
    name = "PLAIN_1"
    text = "pt1"
  }
  plain_text_binding {
    name = "PLAIN_2"
    text = "pt2"
  }

  secret_text_binding {
    name = "secret_1"
    text = "secretOne"
  }
  secret_text_binding {
    name = "secret_2"
    text = "secretTwo"
  }
}


SECOND RUN

resource "cloudflare_worker_script" "helloworld" {
  account_id = var.cloudflare_account_id
  name       = "${var.environment}-helloworld"
  content    = file("functions/helloworld/index.js")
  compatibility_date = "2023-03-27"

  plain_text_binding {
    name = "PLAIN_1"
    text = "pt1"
  }
  
  secret_text_binding {
    name = "secret_1"
    text = "secretOne"
  }
}

Link to debug output

https://gist.github.com/ecclesm/b513a3109a5723d8dfaff36822efb88f

Panic output

No response

Expected output

On each deploy, if am existing secret_text_binding is not included, terraform will remove it from the worker.

This expected behaviour is seen on a plain text binding.

Actual output

It looks like terraform recognises the binding needs to be removed, however the secret binding is still present on the worker after deploy.

For the below the 4 bindings were created on the initial deploy. On the following deploy I removed the second of each type, but only the plain text binding was removed.

First Run

Second Run

Steps to reproduce

1. Do an initial deployment with a secret text binding on the worker
2. Remove the secret binding, deploy again and observe in the workers console that the secret binding is still present.

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ecclesm]

Is there any update with regards to this issue?

[Nmishin]

also sad that 'ignore_changes' isn't works
for example, if I set

 lifecycle {
    ignore_changes = [
     secret_text_binding
    ]
  }

I will get the error:

cloudflare_worker_script.main["test"]: Modifying... [id=hello_world2]
╷
│ Error: error updating worker script: Text for binding "SECRET" cannot be empty
│ 
│   with cloudflare_worker_script.main["test"],
│   on main.tf line 21, in resource "cloudflare_worker_script" "main":
│   21: resource "cloudflare_worker_script" "main" {

this is because terraform can't read secret value (because of API changed)
and function inside cloudflare-go failed - https://github.com/cloudflare/cloudflare-go/blob/5237e486f2a39aa4432b185af29e860fa30704f9/workers_bindings.go#L231