Best practices for TF state and handling encrypted passwords

[cdot65]

Hello, when passing a clear-text password within a terraform configuration file, the resulting JunOS configuration will always differ due to the way it encrypts the password at commit.

resource "junos-ike_SecurityIkePolicyPre__Shared__KeyAscii__Text" "ike_policy_preshared" {
  resource_name = var.ike_apply_group_name
  name          = var.ike_policy_name
  ascii__text   = "juniper123"
}

resulting JunOS configuration

cdot65_ike {
    security {
        ike {
            policy cdot65_ike_policy {
                pre-shared-key ascii-text "$9$1UaESeLxdgoGvWoGDif5IEcyvWX7-w24"; ## SECRET-DATA
            }
        }
    }
}

This is fine and dandy, however it breaks Terrform's perspective of state regarding the configuration. Additional terraform plan operations will always show a diff.

Terraform will perform the following actions:

  # module.enterprise-fw1.junos-ike_SecurityIkePolicyPre__Shared__KeyAscii__Text.ike_policy_preshared will be updated in-place
  ~ resource "junos-ike_SecurityIkePolicyPre__Shared__KeyAscii__Text" "ike_policy_preshared" {
      ~ ascii__text   = "$9$1UaESeLxdgoGvWoGDif5IEcyvWX7-w24" -> "juniper123"
        id            = "192.168.105.196_cdot65_ike"
        name          = "cdot65_ike_policy"
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Is there a best practice here for passing passwords to be encrypted by the host (JunOS device)

[davedotdev]

Hey @cdot65,

You can try the lifecycle block for this. It should ignore the identified tag. Try putting this undernearth the ascii__text key.

lifecycle {
    ignore_changes = [
        ascii__text,
    ]
}

Cheers, D

[cdot65]

Thanks @davedotdev, you're a world-class chap