[BUG] Provider crash on changing rancher2_custom_user_token's password

mouellet commented 6 months ago

Rancher Server Setup

Rancher version: v2.8.2

Information about the Cluster

Kubernetes version: v1.27.11
Cluster Type: Downstream/Custom/Azure

User Information

N/D

Provider Information

What is the version of the Rancher v2 Terraform Provider in use? v4.1.0
What is the version of Terraform in use? v1.5.7

Describe the bug

Changing the 'password' attribute of the rancher2_custom_user_token resource doesn't recreate it as documented.

https://github.com/rancher/terraform-provider-rancher2/blob/master/docs/resources/custom_user_token.md?plain=1#L15

Tokens can't be updated once created. Any diff in token data will recreate the token. If any token expire, Rancher2 provider will generate a diff to regenerate it.

https://github.com/rancher/terraform-provider-rancher2/blob/master/docs/resources/custom_user_token.md?plain=1#L51

password - (Required/ForceNew) The user password (string)

To Reproduce

create a rancher2_custom_user_token resource
change the password attribute

Actual Result

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ rancher2_custom_user_token.this,
│ provider "provider[\"registry.terraform.io/rancher/rancher2\"]" produced an
│ unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵

Expected Result

Resource should be recreated

Screenshots

Additional context

Schema is missing a ForceNew: true, here: https://github.com/rancher/terraform-provider-rancher2/blob/master/rancher2/schema_custom_user_token.go#L11-L16

matttrach commented 5 months ago

Thank you so much! I agree with your assessment, I will work on making this change for our next release.

markusewalker commented 2 months ago

Validated that I do not see a crash in rancher2_custom_resource with 5.0.0-rc1. See details below:

ENVIRONMENT DETAILS

Rancher install: Docker
Rancher version: main https://github.com/rancher/rancher/commit/78a3ca992970297f8fc3df0ade8cea189ae5fc68
Terraform version: 5.0.0-rc1

TEST RESULTS	#	Scenario	Test Result
1	Updating `password` recreates the custom user token	:white_check_mark:

VALIDATION STEPS

Setup Rancher.
Provisioned a downstream K3s node driver v1.30.4+k3s1 cluster.
Populated the following main.tf:

terraform {
  required_providers {
    rancher2 = {
      source = "terraform.local/local/rancher2"
      version = "5.0.0-rc1"
    }
  }
}

provider "rancher2" {
  api_url   = "<omitted>"
  token_key = "<omitted>"
  insecure  = true
}

resource "rancher2_user" "testuser" {
  name     = "<omitted>"
  username = "<omitted>"
  password = "<omitted>"
  enabled  = true
}

resource "rancher2_global_role_binding" "testuser-login" {
  name           = "<omitted>"
  global_role_id = "user-base"
  user_id        = rancher2_user.testuser.id
}

resource "rancher2_custom_user_token" "testuser" {
  username    = rancher2_user.testuser.username
  password    = "<omitted>"
  description = "test user token"
  cluster_id  = "<omitted>"

  depends_on = [
    rancher2_global_role_binding.testuser-login
  ]
}

Ran terraform apply.
In my separate outputs.tf, I have the following:

output "testuser" {
  value = rancher2_custom_user_token.testuser.token
  sensitive = true
}

Ran `terraform output testuser-token and took note of the token.

Updated the password and ran terraform apply.
Ran terraform output testuser-token and noted there is a new token. Additionally, the terraform plan noted that rancher2_custom_user_token.testuser was replaced as well.

rancher / terraform-provider-rancher2