Provider fails with Unable to Login to <X> If the SA or Administrator Password Changes

[vsabella]

Whenver the administrator password changes, re-running terraform results in this error:

│ Error: unable to read user [abc]: mssql: login error: Login failed for user 'my_sa_account'.│ 
│   on ...... , in resource "mssql_user" "user":
│   22: resource "mssql_user" "user" {

This is actually a bit obvious when you look at the provider design - the login to the server is provided to the resource, not the provider itself. So if the SA login changes, the resource is unable to "update its state". It's storing the login in the terraform state file.

Ideally this should be taking the host/login from the provider registration, not this.

resource "mssql_user" "user" {
  server {
    host = var.endpoint
    login {
      username = var.administrator_login
      password = var.administrator_password
    }
  }

[maxnsdia]

We experienced this as well and switching back to the old password also did not work, somehow both passwords were in the state file in different places. Would appreciate a fix because we have mandatory secret rotation of our sa password and every time this happens it breaks our pipeline. Our fix now was manually inserting the new password in all state files which fixed the problem but is of course not something we would want to do each time.

[folkerttenkate]

Exactly the same issue here, except using the azure_login option....

azure_login { tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" client_secret = "terriblySecretSecret" }

Is great until you rotate your secrets for security reasons... This should be part of the provider configuration and no the actual mssql_user configuration which it is now, which I believe is why it is stored in the state file.