Microsoft Entra ID Secret not updated by Terraform

[nbaju1]

Describe the bug
We have configured the Microsoft Entra ID connector with Terraform. The pipeline to (re-)deploy this connector runs on a weekly schedule to update the secret, which is frequently rotated. The output of terraform plan shows that the secret should update, but is in fact not updated which leads to the connector failing to connect when the previous secret expires.

When I manually copy the client secret from the AWS secret and paste it into the Fivetran UI, the connector resumes successfully.

To Reproduce

## AWS RESOURCES

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

data "aws_secretsmanager_secret" "entra_id_credentials" {
  name = "<redacted>"
}

data "aws_secretsmanager_secret_version" "entra_id_credentials" {
  secret_id = data.aws_secretsmanager_secret.entra_id_credentials.id
}

locals {
  entra_id_credentials = jsondecode(data.aws_secretsmanager_secret_version.entra_id_credentials.secret_string)
}

## FIVETRAN RESOURCES

data "fivetran_group" "connectors" {
  id = "<redacted>"
}

data "fivetran_destination" "snowflake_destination" {
  id = "<redacted>"
}

resource "fivetran_connector" "microsoft_entra_id" {
  group_id          = data.fivetran_group.connectors.id
  service           = "microsoft_entra_id"
  networking_method = "Directly"
  config {
    tenant        = sensitive(local.entra_id_credentials.tenant_id)
    client_id     = sensitive(local.entra_id_credentials.client_id)
    client_secret = sensitive(local.entra_id_credentials.client_secret)
  }
}

resource "fivetran_connector_schedule" "microsoft_entra_id_schedule" {
  connector_id   = fivetran_connector.microsoft_entra_id.id
  sync_frequency = var.sync_frequency
  lifecycle {
    ignore_changes = [
      sync_frequency
    ]
  }
}

Expected behavior
The secret being updated with the new value.

Logs & Output

data.aws_secretsmanager_secret.fivetran_credentials: Reading...
data.aws_region.current: Reading...
data.aws_secretsmanager_secret.entra_id_credentials: Reading...
data.aws_caller_identity.current: Reading...
data.aws_region.current: Read complete after 0s [id=<redacted>]
data.aws_caller_identity.current: Read complete after 0s [id=<redacted>]
data.aws_secretsmanager_secret.fivetran_credentials: Read complete after 0s [id=<redacted>]
data.aws_secretsmanager_secret_version.fivetran_credentials: Reading...
data.aws_secretsmanager_secret.entra_id_credentials: Read complete after 0s [id=<redacted>]
data.aws_secretsmanager_secret_version.entra_id_credentials: Reading...
data.aws_secretsmanager_secret_version.entra_id_credentials: Read complete after 0s [id=<redacted>AWSCURRENT]
data.aws_secretsmanager_secret_version.fivetran_credentials: Read complete after 0s [id=<redacted>AWSCURRENT]
data.fivetran_group.connectors: Reading...
data.fivetran_destination.snowflake_destination: Reading...
data.fivetran_group.connectors: Read complete after 1s [id=<redacted>]
data.fivetran_destination.snowflake_destination: Read complete after 1s [id=<redacted>]
fivetran_connector.microsoft_entra_id: Refreshing state... [id=<redacted>]
fivetran_connector_schedule.microsoft_entra_id_schedule: Refreshing state... [id=<redacted>]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # fivetran_connector.microsoft_entra_id will be updated in-place
  ~ resource "fivetran_connector" "microsoft_entra_id" {
      ~ connected_by       = "<redacted>" -> (known after apply)
      ~ created_at         = "2024-02-15 09:10:55.559984 +0000 UTC" -> (known after apply)
      ~ id                 = "<redacted>" -> (known after apply)
      ~ name               = "microsoft_entra_id" -> (known after apply)
      + run_setup_tests    = (known after apply)
      + trust_certificates = (known after apply)
      + trust_fingerprints = (known after apply)
        # (3 unchanged attributes hidden)

      ~ config {
          + abs_connection_string                               = (sensitive value)
          + abs_container_name                                  = (known after apply)
          + access_key                                          = (sensitive value)
          + access_key_id                                       = (sensitive value)
          + access_token                                        = (sensitive value)
          + account                                             = (known after apply)
          + account_id                                          = (known after apply)
          + account_key                                         = (sensitive value)
          + account_region                                      = (known after apply)
          + account_type                                        = (known after apply)
          + action_report_time                                  = (known after apply)
          + agent_config_method                                 = (known after apply)
          + agent_host                                          = (known after apply)
          + agent_ora_home                                      = (known after apply)
          + agent_password                                      = (sensitive value)
          + agent_port                                          = (known after apply)
          + agent_public_cert                                   = (known after apply)
          + agent_user                                          = (known after apply)
          + aggregation                                         = (known after apply)
          + always_encrypted                                    = (known after apply)
          + api_access_token                                    = (sensitive value)
          + api_environment                                     = (known after apply)
          + api_key                                             = (sensitive value)
          + api_quota                                           = (known after apply)
          + api_requests_per_minute                             = (known after apply)
          + api_secret                                          = (sensitive value)
          + api_server                                          = (known after apply)
          + api_token                                           = (sensitive value)
          + api_type                                            = (known after apply)
          + api_url                                             = (known after apply)
          + api_usage                                           = (known after apply)
          + api_utilization_percentage                          = (known after apply)
          + api_version                                         = (known after apply)
          + app_sync_mode                                       = (known after apply)
          + append_file_option                                  = (known after apply)
          + archive_pattern                                     = (known after apply)
          + are_soap_credentials_provided                       = (known after apply)
          + asm_option                                          = (known after apply)
          + asm_oracle_home                                     = (known after apply)
          + asm_password                                        = (sensitive value)
          + asm_tns                                             = (known after apply)
          + asm_user                                            = (known after apply)
          + auth                                                = (known after apply)
          + auth_environment                                    = (known after apply)
          + auth_mode                                           = (known after apply)
          + auth_type                                           = (known after apply)
          + authentication_method                               = (known after apply)
          + authorization_method                                = (known after apply)
          + aws_region_code                                     = (known after apply)
          + base_url                                            = (known after apply)
          + blockchain                                          = (known after apply)
          + bucket                                              = (known after apply)
          + bucket_name                                         = (known after apply)
          + bucket_service                                      = (known after apply)
          + certificate                                         = (sensitive value)
          + click_attribution_window                            = (known after apply)
          + client_name                                         = (sensitive value)
          ~ client_secret                                       = (sensitive value)
          + cloud_storage_type                                  = (known after apply)
          + company_id                                          = (known after apply)
          + compression                                         = (known after apply)
          + config_method                                       = (known after apply)
          + config_type                                         = (known after apply)
          + connection_method                                   = (known after apply)
          + connection_string                                   = (sensitive value)
          + connection_type                                     = (known after apply)
          + consumer_group                                      = (known after apply)
          + consumer_key                                        = (sensitive value)
          + consumer_secret                                     = (sensitive value)
          + container_name                                      = (known after apply)
          + conversion_report_time                              = (known after apply)
          + conversion_window_size                              = (known after apply)
          + convert_dats_type_to_date                           = (known after apply)
          + csv_definition                                      = (known after apply)
          + customer_id                                         = (known after apply)
          + customer_list_id                                    = (known after apply)
          + daily_api_call_limit                                = (known after apply)
          + data_access_method                                  = (known after apply)
          + data_center                                         = (known after apply)
          + data_center_id                                      = (known after apply)
          + database                                            = (known after apply)
          + dataset_id                                          = (known after apply)
          + datasource                                          = (known after apply)
          + date_granularity                                    = (known after apply)
          + delimiter                                           = (known after apply)
          + direct_capture_method                               = (known after apply)
          + distributed_connector_cluster_size                  = (known after apply)
          + domain                                              = (known after apply)
          + domain_host_name                                    = (known after apply)
          + domain_name                                         = (known after apply)
          + domain_type                                         = (known after apply)
          + email                                               = (known after apply)
          + empty_header                                        = (known after apply)
          + enable_all_dimension_combinations                   = (known after apply)
          + enable_archive_log_only                             = (known after apply)
          + enable_data_extensions_syncing                      = (known after apply)
          + enable_distributed_connector_mode                   = (known after apply)
          + enable_enrichments                                  = (known after apply)
          + enable_exports                                      = (known after apply)
          + enable_tde                                          = (known after apply)
          + encryption_key                                      = (sensitive value)
          + endpoint                                            = (known after apply)
          + engagement_attribution_window                       = (known after apply)
          + entity_id                                           = (known after apply)
          + environment                                         = (known after apply)
          + escape_char                                         = (known after apply)
          + escape_char_options                                 = (known after apply)
          + eu_region                                           = (known after apply)
          + export_storage_type                                 = (known after apply)
          + external_id                                         = (known after apply)
          + file_type                                           = (known after apply)
          + finance_account_sync_mode                           = (known after apply)
          + folder_id                                           = (known after apply)
          + ftp_host                                            = (known after apply)
          + ftp_password                                        = (sensitive value)
          + ftp_port                                            = (known after apply)
          + ftp_user                                            = (known after apply)
          + function                                            = (known after apply)
          + function_app                                        = (known after apply)
          + function_key                                        = (sensitive value)
          + function_name                                       = (known after apply)
          + function_trigger                                    = (sensitive value)
          + gcs_bucket                                          = (known after apply)
          + gcs_folder                                          = (known after apply)
          + generate_fivetran_pk                                = (known after apply)
          + group_name                                          = (known after apply)
          + hana_mode                                           = (known after apply)
          + has_manage_permissions                              = (known after apply)
          + historic_sync_time_frame                            = (known after apply)
          + historical_sync_limit                               = (known after apply)
          + home_folder                                         = (known after apply)
          + host                                                = (known after apply)
          + identity                                            = (known after apply)
          + include_ocapi_endpoints                             = (known after apply)
          + instance                                            = (known after apply)
          + integration_key                                     = (sensitive value)
          + is_account_level_connector                          = (known after apply)
          + is_auth2_enabled                                    = (known after apply)
          + is_custom_api_credentials                           = (known after apply)
          + is_external_activities_endpoint_selected            = (known after apply)
          + is_ftps                                             = (known after apply)
          + is_keypair                                          = (known after apply)
          + is_multi_entity_feature_enabled                     = (known after apply)
          + is_new_package                                      = (known after apply)
          + is_private_key_encrypted                            = (known after apply)
          + is_private_link_required                            = (known after apply)
          + is_public                                           = (known after apply)
          + is_sailthru_connect_enabled                         = (known after apply)
          + is_secure                                           = (known after apply)
          + is_sftp_creds_available                             = (known after apply)
          + is_single_table_mode                                = (known after apply)
          + is_vendor                                           = (known after apply)
          + key                                                 = (sensitive value)
          + last_synced_changes__utc_                           = (known after apply)
          + latest_version                                      = (known after apply)
          + limit_for_api_calls_to_external_activities_endpoint = (known after apply)
          + list_strategy                                       = (known after apply)
          + login_password                                      = (sensitive value)
          + max_api_requests_per_day                            = (known after apply)
          + merchant_id                                         = (known after apply)
          + message_type                                        = (known after apply)
          + named_range                                         = (known after apply)
          + network_code                                        = (known after apply)
          + non_standard_escape_char                            = (known after apply)
          + null_sequence                                       = (known after apply)
          + oauth_token                                         = (sensitive value)
          + oauth_token_secret                                  = (sensitive value)
          + on_error                                            = (known after apply)
          + on_premise                                          = (known after apply)
          + organization                                        = (known after apply)
          + organization_id                                     = (known after apply)
          + passphrase                                          = (sensitive value)
          + password                                            = (sensitive value)
          + pat                                                 = (sensitive value)
          + path                                                = (known after apply)
          + pattern                                             = (known after apply)
          + pdb_name                                            = (known after apply)
          + pem_certificate                                     = (sensitive value)
          + port                                                = (known after apply)
          + post_click_attribution_window_size                  = (known after apply)
          + prebuilt_report                                     = (known after apply)
          + prefix                                              = (known after apply)
          + private_key                                         = (sensitive value)
          + product                                             = (known after apply)
          + project_id                                          = (sensitive value)
          + public_key                                          = (known after apply)
          + publication_name                                    = (known after apply)
          + pull_archived_campaigns                             = (known after apply)
          + query_id                                            = (known after apply)
          + region                                              = (known after apply)
          + region_api_url                                      = (known after apply)
          + region_auth_url                                     = (known after apply)
          + region_token_url                                    = (known after apply)
          + replica_id                                          = (known after apply)
          + replication_slot                                    = (known after apply)
          + report_type                                         = (known after apply)
          + report_url                                          = (known after apply)
          + resource_url                                        = (known after apply)
          + rest_api_limit                                      = (known after apply)
          + role                                                = (known after apply)
          + role_arn                                            = (sensitive value)
          + rollback_window                                     = (known after apply)
          + rollback_window_size                                = (known after apply)
          + s3bucket                                            = (known after apply)
          + s3external_id                                       = (known after apply)
          + s3folder                                            = (known after apply)
          + s3role_arn                                          = (sensitive value)
          + sales_account_sync_mode                             = (known after apply)
          + sap_user                                            = (known after apply)
          + secret                                              = (sensitive value)
          + secret_key                                          = (sensitive value)
          + secrets                                             = (sensitive value)
          + security_protocol                                   = (known after apply)
          + server                                              = (known after apply)
          + server_url                                          = (known after apply)
          + service_version                                     = (known after apply)
          + sftp_host                                           = (known after apply)
          + sftp_is_key_pair                                    = (known after apply)
          + sftp_password                                       = (sensitive value)
          + sftp_port                                           = (known after apply)
          + sftp_user                                           = (known after apply)
          + share_url                                           = (known after apply)
          + sheet_id                                            = (known after apply)
          + shop                                                = (known after apply)
          + short_code                                          = (sensitive value)
          + should_sync_events_with_deleted_profiles            = (known after apply)
          + show_records_with_no_metrics                        = (known after apply)
          + sid                                                 = (known after apply)
          + site_id                                             = (known after apply)
          + skip_after                                          = (known after apply)
          + skip_before                                         = (known after apply)
          + skip_empty_reports                                  = (known after apply)
          + snc_mode                                            = (known after apply)
          + soap_uri                                            = (known after apply)
          + source                                              = (known after apply)
          + sub_domain                                          = (known after apply)
          + subdomain                                           = (known after apply)
          + subscriber_name                                     = (known after apply)
          + support_connected_accounts_sync                     = (known after apply)
          + support_nested_columns                              = (known after apply)
          + swipe_attribution_window                            = (known after apply)
          + sync_data_locker                                    = (known after apply)
          + sync_format                                         = (known after apply)
          + sync_formula_fields                                 = (known after apply)
          + sync_metadata                                       = (known after apply)
          + sync_method                                         = (known after apply)
          + sync_mode                                           = (known after apply)
          + sync_mode_advertiser                                = (known after apply)
          + sync_mode_seat                                      = (known after apply)
          + sync_multiple_accounts                              = (known after apply)
          + sync_pack_mode                                      = (known after apply)
          + sync_pull_api                                       = (known after apply)
          + sync_type                                           = (known after apply)
          + target_entity_id                                    = (known after apply)
          + technical_account_id                                = (known after apply)
          + test_table_name                                     = (known after apply)
          + time_zone                                           = (known after apply)
          + timeframe_months                                    = (known after apply)
          + tns                                                 = (known after apply)
          + token_key                                           = (sensitive value)
          + token_secret                                        = (sensitive value)
          + tunnel_host                                         = (known after apply)
          + tunnel_port                                         = (known after apply)
          + tunnel_user                                         = (known after apply)
          + unique_id                                           = (known after apply)
          + update_config_on_each_sync                          = (known after apply)
          + update_method                                       = (known after apply)
          + uri                                                 = (known after apply)
          + url_format                                          = (known after apply)
          + use_api_keys                                        = (known after apply)
          + use_customer_bucket                                 = (known after apply)
          + use_oracle_rac                                      = (known after apply)
          + use_pgp_encryption_options                          = (known after apply)
          + use_service_account                                 = (known after apply)
          + use_template_labels                                 = (known after apply)
          + use_webhooks                                        = (known after apply)
          + use_workspace                                       = (known after apply)
          + user                                                = (known after apply)
          + user_id                                             = (known after apply)
          + user_key                                            = (sensitive value)
          + user_name                                           = (known after apply)
          + username                                            = (known after apply)
          + view_attribution_window                             = (known after apply)
          + view_through_attribution_window_size                = (known after apply)
          + workspace_same_as_source                            = (known after apply)
            # (2 unchanged attributes hidden)
        }
    }


  # fivetran_connector_schedule.microsoft_entra_id_schedule must be replaced
-/+ resource "fivetran_connector_schedule" "microsoft_entra_id_schedule" {
      ~ connector_id      = "<redacted>" -> (known after apply) # forces replacement
      + daily_sync_time   = (known after apply)
      ~ id                = "<redacted>" -> (known after apply)
      ~ pause_after_trial = "false" -> (known after apply)
      ~ paused            = "false" -> (known after apply)
      ~ schedule_type     = "auto" -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Notice that client_secret is the only attribute being changed in the config block, which is the only updated value in the AWS secret.

Plugin version:
Terraform: 1.9.8
Fivetran provider: 1.4.2.