Provider overwriting SecretV2 data

[ottramst]

What happened?

When defining a SecretV2 with an empty JSON and defining the dataJsonSecretRef attribute under initProvider the secret contents still get overwritten.

This is buggy behaviour since, sometimes we need to just create a SecretV2 and then inject data into the secret externally.

It seems that the documentation on the resource itself for initProvider field, is false:

InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created.

Seems that this merging is not happening or the required fields check is run before the merge operation.

How can we reproduce it?

Using these manifests

---
apiVersion: v1
kind: Secret
metadata:
  name: test-vault-kvv2
  namespace: crossplane
type: Opaque
stringData:
  data: |
    {}

---
apiVersion: kv.vault.upbound.io/v1alpha1
kind: SecretV2
metadata:
  name: test-vault-kvv2
  namespace: crossplane
spec:
  deletionPolicy: Delete
  forProvider:
    deleteAllVersions: true
    customMetadata:
      - maxVersions: 10
        data:
          environment: test
          test: test
    mount: common
    name: test
    dataJsonSecretRef:
      key: data
      name: test-vault-kvv2
      namespace: crossplane
  initProvider:
    dataJsonSecretRef:
      key: data
      name: test-vault-kvv2
      namespace: crossplane
  providerConfigRef:
    name: vault

For example, when changing/adding a custom metadata map object, the secret contents will be overwritten by an empty JSON, even though the dataJSONSecretRef is defined under initProvider

Furthermore, it isn't possible to omit forProvider.dataJsonSecretRef because it's a required field.

What environment did it happen in?

• Vault provider: v2.0.1