[ISSUE] Intersight Provider 1.0.54 - resource intersight_storage_drive_security_policy - Plan not accounting for sensitive values

[scotttyso]

Bug Report Checklist

• [x] Have you provided a full/minimal configuration to reproduce the issue?
• [x] Have you [tested with the latest master] to confirm the issue still exists?
• [x] Have you provided the terraform console logs with environment variable set to TF_LOG=trace?

Description

When running a plan/apply with intersight_storage_drive_security_policy sensitive values cause a plan to view the sensitive values as an update. This doesn't happen with other policies like local user policy.

Terraform-provider-intersight version

1.0.54

Configuration file

resource "intersight_storage_drive_security_policy" "map" {
  description = "default"
  key_setting {
    key_type = "Kmip"
    remote_key {
      auth_credentials {
        password           = (sensitive value)
        use_authentication = true
        username           = "kmip_user"
      }
      existing_key        = (sensitive value)
      primary_server {
        enable_drive_security = true
        ip_address            = "kmip-primary.example.com"
        port                  = 5696
        timeout               = 60
      }
      secondary_server {
        enable_drive_security = true
        ip_address            = "kmip-secondary.example.com"
        port                  = 5696
        timeout               = 60
      }
      server_certificate = (sensitive value)
    }
  }
  name = "default"
  organization {
    moid = "5ddea1e16972652d32b6493a"

  }
}

Actual output (Attach screenshots if applicable)

tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfp
data.utils_yaml_merge.model: Reading...
data.utils_yaml_merge.model: Read complete after 0s [id=c19f636f4e52728c94d8901ef46cd4c9c78b8ed1]
module.organizations["map"].data.intersight_organization_organization.map["default"]: Reading...
module.policies["map"].data.intersight_iam_account.account: Reading...
module.policies["map"].data.intersight_iam_account.account: Read complete after 0s [id=5981bd053e95200001fd5632]
module.organizations["map"].data.intersight_organization_organization.map["default"]: Read complete after 0s [id=5ddea1e16972652d32b6493a]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Reading...
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Read complete after 1s [id=59684dcb5e468000016525c8]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"] will be created
  + resource "intersight_iam_end_point_user" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "iam.EndPointUser"
      + create_time          = (known after apply)
      + domain_group_moid    = (known after apply)
      + end_point_user_role  = (known after apply)
      + id                   = (known after apply)
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "admin"
      + object_type          = "iam.EndPointUser"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + permission_resources = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = (known after apply)
      + version_context      = (known after apply)
    }

  # module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"] will be created
  + resource "intersight_iam_end_point_user_policy" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "iam.EndPointUserPolicy"
      + create_time          = (known after apply)
      + description          = "default"
      + domain_group_moid    = (known after apply)
      + end_point_user_roles = (known after apply)
      + id                   = (known after apply)
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "default"
      + object_type          = "iam.EndPointUserPolicy"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + password_properties  = [
          + {
              + class_id                 = "iam.EndPointPasswordProperties"
              + enable_password_expiry   = false
              + enforce_strong_password  = true
              + force_send_password      = false
              + grace_period             = 0
              + notification_period      = 15
              + object_type              = "iam.EndPointPasswordProperties"
              + password_expiry_duration = 90
              + password_history         = 0
            },
        ]
      + permission_resources = (known after apply)
      + profiles             = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = [
          + {
              + key   = "Module"
              + value = "easy-imm"
            },
          + {
              + key   = "Version"
              + value = "4.2.11-17769"
            },
        ]
      + version_context      = (known after apply)
    }

  # module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"] will be created
  + resource "intersight_iam_end_point_user_role" "map" {
      + account_moid          = (known after apply)
      + ancestors             = (known after apply)
      + change_password       = (known after apply)
      + class_id              = "iam.EndPointUserRole"
      + create_time           = (known after apply)
      + domain_group_moid     = (known after apply)
      + enabled               = true
      + end_point_role        = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "59684dcb5e468000016525c8"
              + object_type = "iam.EndPointRole"
            },
        ]
      + end_point_user        = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = (known after apply)
              + object_type = "iam.EndPointUser"
            },
        ]
      + end_point_user_policy = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = (known after apply)
              + object_type = "iam.EndPointUserPolicy"
            },
        ]
      + id                    = (known after apply)
      + is_password_set       = (known after apply)
      + mod_time              = (known after apply)
      + moid                  = (known after apply)
      + object_type           = "iam.EndPointUserRole"
      + owners                = (known after apply)
      + parent                = (known after apply)
      + password              = (sensitive value)
      + permission_resources  = (known after apply)
      + shared_scope          = (known after apply)
      + tags                  = (known after apply)
      + version_context       = (known after apply)
    }

  # module.policies["map"].intersight_storage_drive_security_policy.map["default/default"] will be created
  + resource "intersight_storage_drive_security_policy" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "storage.DriveSecurityPolicy"
      + create_time          = (known after apply)
      + description          = "default"
      + domain_group_moid    = (known after apply)
      + id                   = (known after apply)
      + key_setting          = [
          + {
              + class_id    = "storage.KeySetting"
              + key_type    = "Kmip"
              + manual_key  = (known after apply)
              + object_type = "storage.KeySetting"
              + remote_key  = [
                  + {
                      + auth_credentials    = [
                          + {
                              + class_id           = "storage.KmipAuthCredentials"
                              + is_password_set    = (known after apply)
                              + object_type        = "storage.KmipAuthCredentials"
                              + password           = (sensitive value)
                              + use_authentication = true
                              + username           = "kmip_user"
                            },
                        ]
                      + class_id            = "storage.RemoteKeySetting"
                      + existing_key        = (sensitive value)
                      + is_existing_key_set = (known after apply)
                      + object_type         = "storage.RemoteKeySetting"
                      + primary_server      = [
                          + {
                              + class_id              = "storage.KmipServer"
                              + enable_drive_security = true
                              + ip_address            = "kmip-primary.example.com"
                              + object_type           = "storage.KmipServer"
                              + port                  = 5696
                              + timeout               = 60
                            },
                        ]
                      + secondary_server    = [
                          + {
                              + class_id              = "storage.KmipServer"
                              + enable_drive_security = true
                              + ip_address            = "kmip-secondary.example.com"
                              + object_type           = "storage.KmipServer"
                              + port                  = 5696
                              + timeout               = 60
                            },
                        ]
                      + server_certificate  = (sensitive value)
                    },
                ]
            },
        ]
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "default"
      + object_type          = "storage.DriveSecurityPolicy"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + permission_resources = (known after apply)
      + profiles             = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = [
          + {
              + key   = "Module"
              + value = "easy-imm"
            },
          + {
              + key   = "Version"
              + value = "4.2.11-17769"
            },
        ]
      + version_context      = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: main.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "main.plan"
tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfa
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Creating...
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Creating...
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Creation complete after 0s [id=66dcd7ac6275723101b96762]
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Creating...
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Creation complete after 1s [id=66dcd7ac6275723101b96840]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Creating...
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Creation complete after 1s [id=66dcd7ac656f6e3101459d1c]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Creation complete after 0s [id=66dcd7ad6275723101b9688e]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Notice on the subsequent plan that the local user policy is not showing a change with the sensitive password, whereas the drive security policy is.

tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfp
data.utils_yaml_merge.model: Reading...
data.utils_yaml_merge.model: Read complete after 0s [id=c19f636f4e52728c94d8901ef46cd4c9c78b8ed1]
module.policies["map"].data.intersight_iam_account.account: Reading...
module.organizations["map"].data.intersight_organization_organization.map["default"]: Reading...
module.organizations["map"].data.intersight_organization_organization.map["default"]: Read complete after 1s [id=5ddea1e16972652d32b6493a]
module.policies["map"].data.intersight_iam_account.account: Read complete after 1s [id=5981bd053e95200001fd5632]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Reading...
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Refreshing state... [id=66dcd7ac6275723101b96762]
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Refreshing state... [id=66dcd7ac656f6e3101459d1c]
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Refreshing state... [id=66dcd7ac6275723101b96840]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Read complete after 0s [id=59684dcb5e468000016525c8]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Refreshing state... [id=66dcd7ad6275723101b9688e]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.policies["map"].intersight_storage_drive_security_policy.map["default/default"] will be updated in-place
  ~ resource "intersight_storage_drive_security_policy" "map" {
        id                    = "66dcd7ac656f6e3101459d1c"
      ~ key_setting           = [
          ~ {
              ~ remote_key            = [
                  ~ {
                      ~ auth_credentials      = [
                          ~ {
                              + password              = (sensitive value)
                                # (6 unchanged attributes hidden)
                            },
                        ]
                      + existing_key          = (sensitive value)
                        # (7 unchanged attributes hidden)
                    },
                ]
                # (5 unchanged attributes hidden)
            },
        ]
        name                  = "default"
        tags                  = [
            {
                additional_properties = null
                key                   = "Module"
                value                 = "easy-imm"
            },
            {
                additional_properties = null
                key                   = "Version"
                value                 = "4.2.11-17769"
            },
        ]
        # (17 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: main.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "main.plan"
tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$

Related issues/PRs

Suggest a fix

Provider should not require an update on subsequent plans to sensitive values unless it has changed.

[mohamuni]

Hi @scotttyso , Can you please check this with latest terraform version 1.0.58

[scotttyso]

I don't see the same problem on a second run. This seems to be resolved.