fix: destroy the resource on drift (#1351)

yordis · nickfloyd · web-flow · commit d67b35750d98 · 2025-10-20T07:50:49.000-05:00
* fix: destroy the resource on drift

closes 749

* add secret drifting example

---------

Co-authored-by: Nick Floyd &lt;139819+nickfloyd@users.noreply.github.com&gt;
diff --git a/examples/secret-drifting/main.tf b/examples/secret-drifting/main.tf
@@ -0,0 +1,23 @@
+provider "github" {
+}
+
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+    }
+  }
+}
+
+resource "github_actions_organization_secret" "plaintext_secret" {
+  secret_name      = "test_plaintext_secret"
+  plaintext_value  = "123"
+  visibility       = "private"
+}
+
+resource "github_actions_organization_secret" "encrypted_secret" {
+  secret_name      = "test_encrypted_secret"
+  plaintext_value  = "123"
+  visibility       = "private"
+  destroy_on_drift = false
+}
diff --git a/github/resource_github_actions_organization_secret.go b/github/resource_github_actions_organization_secret.go
@@ -78,6 +78,11 @@ func resourceGithubActionsOrganizationSecret() *schema.Resource {
 				Computed:    true,
 				Description: "Date of 'actions_secret' update.",
 			},
+			"destroy_on_drift": {
+				Type:     schema.TypeBool,
+				Default:  true,
+				Optional: true,
+			},
 		},
 	}
 }
@@ -214,7 +219,8 @@ func resourceGithubActionsOrganizationSecretRead(d *schema.ResourceData, meta in
 	// The only solution to enforce consistency between is to mark the resource
 	// as deleted (unset the ID) in order to fix potential drift by recreating
 	// the resource.
-	if updatedAt, ok := d.GetOk("updated_at"); ok && updatedAt != secret.UpdatedAt.String() {
+	destroyOnDrift := d.Get("destroy_on_drift").(bool)
+	if updatedAt, ok := d.GetOk("updated_at"); ok && destroyOnDrift && updatedAt != secret.UpdatedAt.String() {
 		log.Printf("[INFO] The secret %s has been externally updated in GitHub", d.Id())
 		d.SetId("")
 	} else if !ok {
diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
@@ -25,6 +25,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 			  secret_name      = "test_encrypted_secret"
 			  encrypted_value  = "%s"
 			  visibility       = "private"
+			  destroy_on_drift = false
 			}
 		`, secretValue, secretValue)
 

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {`
`25`	`25`	`secret_name = "test_encrypted_secret"`
`26`	`26`	`encrypted_value = "%s"`
`27`	`27`	`visibility = "private"`
	`28`	`+ destroy_on_drift = false`
`28`	`29`	`}`
`29`	`30`	`, secretValue, secretValue)
`30`	`31`