Secret creation through OpenTofu with limited access role creates inonsistent result after apply

[ImreC]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

OpenTofu v1.10.3
on linux_amd64

• provider registry.opentofu.org/hashicorp/scaleway v2.60.4

Affected Resource(s)

• resource scaleway_secret_version

Terraform Configuration Files

# main.tf
resource "scaleway_secret" "db_connection_string" {
  name        = "test"
  description = "The connection string of the client db"
}

resource "scaleway_secret_version" "db_connection_string_v1" {
  secret_id = scaleway_secret.db_connection_string.id
  data      = "test"
}

Debug Output

Error: Provider produced inconsistent result after apply

When applying changes to
module.auth_db.scaleway_secret.db_connection_string, provider
"provider["registry.opentofu.org/scaleway/scaleway"]" produced an
unexpected new value: root object was present, but now absent.

This is a bug in the provider, which should be reported in the provider's
own issue tracker.

Expected Behavior

It should have created both the secret and the secret version

Actual Behavior

The secret is created, but the secret version is not and running apply produces above error.

Steps to Reproduce

1. Create a scw profile with the SecretManagerSecretCreate permission only. The role I am testing with has:

[
      "ContainerRegistryReadOnly",
      "ContainersFullAccess",
      "ObjectStorageBucketsRead",
      "ObjectStorageObjectsWrite",
      "ObjectStorageObjectsRead",
      "ObjectStorageObjectsDelete",
      "RelationalDatabasesFullAccess",
      "SecretManagerSecretCreate"
    ]

2. use the profile in scw cli
3. tofu init && tofu apply

Important Factoids

I am using a limited role as outlined above. It works when I use my full admin role. It seems like something going wrong with using the SecretManagerSecretCreate permission only. Unless this is supposed to not work this way, but intuitively I would say that SecretManagerSecretCreate should be enough to run this tf template.

[ImreC]

I realized later that probably to check if the secret was actually created it also needed SecretManagerSecretAccess. This produced the same result. I then tried SecretManagerFullAccess and this works. I would expect this to work with just SecretManagerSecretCreate or SecretManagerSecretCreate + SecretManagerSecretAccess. SecretManagerFullAccess seems like too much.