search

petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
65 stars 42 forks source link

Looks like changing plaintext_password does not change it actually #49

Closed bgorbuntsov closed 1 year ago

bgorbuntsov commented 1 year ago

Hi,

Terraform v1.3.6 AWS Aurora MySQL (5.7) compatible.

I created set of users with for_each argument usage. I need to the passwords to be stored to SSM Parameter Store, so I can't use mysql_user_password resource, hence I used random_password.

resource "mysql_user" "dbusers" {
  for_each        = var.list
  user               = each.key
  host               = "%"
  plaintext_password = random_password.password["${each.key}"].result
}

If I taint random_password resource it recreates password and that causes mysql_user in-place update. This code runs successfully but afterward the password in database still the same which was created on user creation.

I expect that the password will be changed as long as plaintext_password has been changed.

Thanks!

Wiston999 commented 1 year ago

Hi, we are experiencing the same behavior on our environment. Here is a bit of context about our environment:

Terraform code used:

resource "mysql_user" "user" {
  for_each = local.users
  user     = each.value["user"]
  host     = each.value["host"]

  plaintext_password = each.value["password"]
}

After a bit of investigation on the source code and terraform state, my guess is that the line at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_user.go#L188 is preventing the user password update at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_user.go#L200. Checking my terraform state, I see that auth_plugin has value mysql_native_password (probably a default value as I'm not setting it) so the if at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_user.go#L166 renders true, but as we are using plaintext_password instead of auth_string_hashed, no actual change is made in MySQL server due to the return nil clause at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_user.go#L188.

Running terraform with TF_LOG=TRACE I can see some logged messages like 

[DEBUG] Using driverName: mysql

generated at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/provider.go#L305 but I cannot see the log message at https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_user.go#L206.

I hope that this helps in debugging and fixing the issue

petoju commented 1 year ago

Thanks for the description.

I hope that this helps in debugging and fixing the issue

I prefer pull requests, but I did a quick fix in https://github.com/petoju/terraform-provider-mysql/pull/51 Please test that.

bgorbuntsov commented 1 year ago

Just tested. For me it works! Thanks!

Wiston999 commented 1 year ago

Tested new version (3.0.26) and it works as expected. Thank you so much!

petoju commented 1 year ago

Thanks, closing then!