[BUG]: Provider produced inconsistent final plan V6.6.0

[ggmanugg]

Expected Behavior

When updating multiple github_repository_webhook resources (using for_each) whose configuration.url is fed from another resource’s output (portainer_stack.*.webhook_url), Terraform should apply cleanly. Specifically, updating existing webhooks in-place should not fail on a “sensitive attribute” mismatch.

Actual Behavior

Apply bombs out with:

Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ github_repository_webhook.vse002-swarm["rustdesk"] to include new values
│ learned so far during apply, provider
│ "registry.terraform.io/integrations/github" produced an invalid new value
│ for .configuration[0].url: inconsistent values for sensitive attribute.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Terraform Version

Terraform v1.13.1 (GitHub Action ubuntu-latest)

• provider registry.terraform.io/integrations/github v6.6.0
• provider registry.terraform.io/portainer/portainer v1.12.0

Affected Resource(s)

• github_repository_webhook

Terraform Configuration Files

locals {
  compose_files = fileset("${path.module}/../stacks", "*/compose.yml")
  stacks = {
    for f in local.compose_files :
    split("/", f)[0] => "stacks/${f}"
  }
}

variable "repository_url"   { type = string, default = "https://github.com/ggmanugg/homelab_terra" }
variable "repository_ref"   { type = string, default = "refs/heads/main" }
variable "portainer_endpoint" {}
variable "portainer_api_key" {}
variable "github_token" {}
variable "repository_name"  { type = string, default = "homelab_terra" }

provider "portainer" {
  endpoint = var.portainer_endpoint
  api_key  = var.portainer_api_key
}

provider "github" {
  token = var.github_token
}

resource "portainer_stack" "vse002-swarm" {
  for_each = local.stacks
  name                      = each.key
  deployment_type           = "swarm"
  method                    = "repository"
  endpoint_id               = 1
  repository_url            = var.repository_url
  repository_reference_name = var.repository_ref
  file_path_in_repository   = each.value
  stack_webhook             = true
  prune                     = true
}

resource "github_repository_webhook" "vse002-swarm" {
  for_each   = local.stacks
  repository = var.repository_name
  configuration {
    url          = portainer_stack.vse002-swarm[each.key].webhook_url
    content_type = "json"
  }
  events = ["push"]
}

Steps to Reproduce

$ terraform apply

Debug Output

Run terraform apply -auto-approve -input=false
  terraform apply -auto-approve -input=false
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    TF_VAR_portainer_endpoint: ***
    TF_VAR_portainer_api_key: ***
    TF_VAR_github_token: ***
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/97f50298-1b19-4e21-acef-c1ff113089f5
portainer_stack.vse002-swarm["test"]: Refreshing state... [id=107]
portainer_stack.vse002-swarm["rustdesk"]: Refreshing state... [id=106]
github_repository_webhook.vse002-swarm["test"]: Refreshing state... [id=568324579]
github_repository_webhook.vse002-swarm["rustdesk"]: Refreshing state... [id=568324576]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # github_repository_webhook.vse002-swarm["dns"] will be created
  + resource "github_repository_webhook" "vse002-swarm" {
      + active     = true
      + etag       = (known after apply)
      + events     = [
          + "push",
        ]
      + id         = (known after apply)
      + repository = "homelab_terra"
      + url        = (known after apply)

      + configuration {
          + content_type = "json"
          + url          = (sensitive value)
        }
    }

  # github_repository_webhook.vse002-swarm["rustdesk"] will be updated in-place
  ~ resource "github_repository_webhook" "vse002-swarm" {
        id         = "568324576"
        # (4 unchanged attributes hidden)

      ~ configuration {
          ~ url          = (sensitive value)
            # (3 unchanged attributes hidden)
        }
    }

  # github_repository_webhook.vse002-swarm["test"] will be updated in-place
  ~ resource "github_repository_webhook" "vse002-swarm" {
        id         = "568324579"
        # (4 unchanged attributes hidden)

      ~ configuration {
          ~ url          = (sensitive value)
            # (3 unchanged attributes hidden)
        }
    }

  # portainer_stack.vse002-swarm["dns"] will be created
  + resource "portainer_stack" "vse002-swarm" {
      + compose_format                = false
      + deployment_type               = "swarm"
      + endpoint_id                   = 1
      + file_path_in_repository       = "stacks/dns/compose.yml"
      + force_update                  = false
      + git_repository_authentication = false
      + id                            = (known after apply)
      + method                        = "repository"
      + name                          = "dns"
      + prune                         = true
      + pull_image                    = false
      + repository_reference_name     = "refs/heads/main"
      + repository_url                = "https://github.com/ggmanugg/homelab_terra"
      + stack_webhook                 = true
      + support_relative_path         = false
      + swarm_id                      = (known after apply)
      + tlsskip_verify                = false
      + webhook_id                    = (known after apply)
      + webhook_url                   = (known after apply)
    }

  # portainer_stack.vse002-swarm["rustdesk"] will be updated in-place
  ~ resource "portainer_stack" "vse002-swarm" {
        id                            = "106"
        name                          = "rustdesk"
      ~ prune                         = false -> true
        # (17 unchanged attributes hidden)
    }

  # portainer_stack.vse002-swarm["test"] will be updated in-place
  ~ resource "portainer_stack" "vse002-swarm" {
        id                            = "107"
        name                          = "test"
      ~ prune                         = false -> true
        # (17 unchanged attributes hidden)
    }

Plan: 2 to add, 4 to change, 0 to destroy.
portainer_stack.vse002-swarm["dns"]: Creating...
portainer_stack.vse002-swarm["rustdesk"]: Modifying... [id=106]
portainer_stack.vse002-swarm["test"]: Modifying... [id=107]
portainer_stack.vse002-swarm["test"]: Modifications complete after 2s [id=107]
portainer_stack.vse002-swarm["rustdesk"]: Modifications complete after 2s [id=106]
portainer_stack.vse002-swarm["dns"]: Creation complete after 5s [id=110]
github_repository_webhook.vse002-swarm["dns"]: Creating...
github_repository_webhook.vse002-swarm["dns"]: Creation complete after 1s [id=568331756]
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ github_repository_webhook.vse002-swarm["rustdesk"] to include new values
│ learned so far during apply, provider
│ "registry.terraform.io/integrations/github" produced an invalid new value
│ for .configuration[0].url: inconsistent values for sensitive attribute.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for github_repository_webhook.vse002-swarm["test"]
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/integrations/github" produced an invalid new value
│ for .configuration[0].url: inconsistent values for sensitive attribute.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Panic Output

Code of Conduct

• I agree to follow this project's Code of Conduct