databricks.secret on string_value will trigger replacement but this is incorrect and should only trigger update

[C0dingMast3r]

Describe what happened

The following is a script I run to populate a secret.

databricks_secret = databricks.Secret(f"{scope_name}-{secret_name}",
                        key=secret_name,
                        string_value=secret_string[aws_secret_key],
                        scope=databricks_scope.name,
                        opts=pulumi.ResourceOptions(parent=databricks_scope)
                    )

If the string_value is updated it triggers a replacement.

The issue with this is that under the current logic it actually updates the secret in place and then it deletes the old secret

However, since the secret was just updated in place, the secret is then just deleted and no longer accessible and requires a refresh to fix.

The temp solution is:

adding a opt so that it looks like: opts=pulumi.ResourceOptions(parent=databricks_scope, delete_before_replace=True)

This will delete the secret and then recreate it.

Proposed solution:
Modify the secret so that it can update in place as it seems as though a full replacement is not necessary and can just be an update on string_value change.

Note: this was developed with python.

Sample program

workspace_provider=databricks.Provider() # modify as needed to setup provider at workspace level

scope_name = 'scope_1'
databricks_scope = databricks.SecretScope(f"{scope_name}", 
                    name=f"{scope_name}",
                    opts=pulumi.ResourceOptions(provider=workspace_provider))
secret_name="secret_1"
databricks_secret = databricks.Secret(f"{secret_name}",
                        key=f"{secret_name}",
                        string_value="1", # then rerun changing this secret
                        scope=databricks_scope.name,
                        opts=pulumi.ResourceOptions(parent=databricks_scope, delete_before_replace=True)
                    )

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

$ pulumi about
CLI
Version      3.132.0
Go Version   go1.23.1
Go Compiler  gc

Host
OS       Microsoft Windows 11 Enterprise
Version  10.0.22631 Build 22631
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[VenelinMartinov]

Thanks for reporting @C0dingMast3r and sorry you've hit this. Glad to see you have found the workaround of using DeleteBeforeReplace.

We avoid the need for users to specify DeleteBeforeReplace themselves if we specified it in resources.go for this resource since it gets implicitly replaced.

[VenelinMartinov]

related to pulumi/pulumi#918