ns1_apikey.key is always empty

[norman-zon]

Per docs ns1_apikey.key should be exported.

terraform state show:

# ns1_apikey.ns1-mykey:
resource "ns1_apikey" "ns1-mykey" {
    account_manage_account_settings  = false
    account_manage_apikeys           = false
    account_manage_ip_whitelist      = false
    account_manage_payment_methods   = false
    account_manage_plan              = false
    account_manage_teams             = false
    account_manage_users             = false
    account_view_activity_log        = false
    account_view_invoices            = false
    data_manage_datafeeds            = false
    data_manage_datasources          = false
    data_push_to_datafeeds           = false
    dns_manage_zones                 = false
    dns_view_zones                   = true
    dns_zones_allow                  = []
    dns_zones_allow_by_default       = true
    dns_zones_deny                   = []
    id                               = "xxxxxxxxxxxxxxxx"
    ip_whitelist                     = []
    ip_whitelist_strict              = false
    monitoring_create_jobs           = false
    monitoring_delete_jobs           = false
    monitoring_manage_jobs           = false
    monitoring_manage_lists          = false
    monitoring_update_jobs           = false
    monitoring_view_jobs             = false
    name                             = "ns1-mykey"
    security_manage_active_directory = false
    security_manage_global_2fa       = false
    teams                            = []
}

Does not list it.

Trying to access it from another resource with ns1_apikey.ns1-mykey does not fail, but is an empty string.

How am I supposed to access the API key itself?

[pburrows-ns1]

Hi @norman-zon 👋
The api key is marked as sensitive, but can be seen in the state file using json output:
terraform show -json | jq -r '.values.root_module.resources[] | select(.address=="ns1_apikey.ns1-mykey") | .values.key'

There are a couple of examples here using outputs as well: https://support.hashicorp.com/hc/en-us/articles/5175257151891-How-to-output-sensitive-data-with-Terraform

If you really want to see the key output on creation you can do this:

resource "ns1_apikey" "ns1-mykey" {
    name = "tf test key"
}

output "token_value" {
 value = nonsensitive(ns1_apikey.ns1-mykey.key)
}

[norman-zon]

My goal is to use it directly in terraform, for example to write it to a vault secret.

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json = jsonencode(
    tomap({
      "api_key" = ns1_apikey.ns1-mykey.key,
      
    })
  )
}

This works for the first apply, on creation, but on the second apply would be set to "".

Can the key somehow be accessed permanently from within terraform?

[pburrows-ns1]

I see!

As you've noted the key is not present on subsequent API calls, but given that the key will not change, you could ignore it on the change on the vault resource if this is acceptable:

resource "ns1_apikey" "ns1-mykey" {
  name = "tf test key"
}

resource "vault_generic_secret" "example" {
  path = "secret/foo"

  data_json = jsonencode(
    tomap({
      "api_key" = ns1_apikey.ns1-mykey.key,

    })
  )

  lifecycle {
    ignore_changes = [data_json]
  }
}

[norman-zon]

That would work. But IMHO it defeats the purpose of having the key in terraform.
I want terraform to keep my config consistent, which it cannot, when I ignore changes.

I completely understand where you come from hiding the key in the UI after creation, but for IAC this seems to be an unhelpful approach.

[pburrows-ns1]

OK, I will open a ticket internally and work on this 👍

[pburrows-ns1]

@norman-zon Could you please try version 2.5.2 and let me know how you get on?

[norman-zon]

Yes! That works. Thank you very much for the quick fix.