purefa_ds is not idempotent

[dbuenoparedes]

Describe the bug When running a task that uses purefa_ds module, the first time it runs it properly configures the settings. Running it a 2nd or 3rd... times it'll trigger a change cause it shows on each run changed: [us1pure01] => changed=value_specified_in_no_log_parameter)

To Reproduce I'm using a basic configuration task for this module:

- name: Create directory service
  purestorage.flasharray.purefa_ds:
    state: present
    enable: true
    dstype: management
    uri: "{{ auth.ldap_uri}}"
    base_dn: "{{ auth.ldap_base_dn }}"
    bind_user: "{{ auth.ldap_bind_user }}"
    bind_password: "{{ auth.ldap_bind_pass }}"
    fa_url: "{{ fa_url }}"
    api_token: "{{ api_token }}"

Expected behavior If there isn't any change in the variables/values 2nd and consecutive runs shouldn't show any "changed" output when ansible runs.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Ubuntu Mate Linux 22.04
• Ansible version:

  $ ansible --version
  ansible [core 2.12.9]
  config file = /home/dbuenoparedes/git-repos/8x8/ansible-vcc/ansible.cfg
  configured module search path = ['/home/dbuenoparedes/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/dbuenoparedes/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, May 29 2023, 11:10:38) [GCC 11.3.0]
  jinja version = 3.0.3
  libyaml = True

• Collection:

  
  $ ansible-galaxy collection list purestorage.flasharray

/home/dbuenoparedes/.ansible/collections/ansible_collections

Collection Version

---

purestorage.flasharray 1.17.2

[dbuenoparedes]

Forgot to mention that I'm using the 5.2.0 or higher purefa_ds module approach as I'm testing this with Pure arrays running version 6.4.x.

[sdodsley]

This module is not idempotent because of the password field. We have no way to know if the password you enter is the same as the original for security reasons. No module that passes a password can be idempotent.

[dbuenoparedes]

Ok, understood @sdodsley, sorry that I wasn't aware of that implementation.

I do have to mention that I had to add the no_log: true to the purefa_user module because it wasn't implemented with this same approach. You might want to revisit that one just in case.

Thanks,

[sdodsley]

no_log is defined for password and old_password in purefa_user. Which other parameter would you want no_log on?

[dbuenoparedes]

I think you're right, purefa_user uses the password/old_password approach whereas purefa_ds is just bind_password (there's no old_bind_password if you want to change it).

I'm good to close this issue, no bug or change needed here.

Thanks for your feedback!