make `must_change_password` attribute immutable after creation

alegrey91 commented 1 month ago

Issue: https://github.com/rancher/rancher/issues/45736

Problem

Currently, the must_change_password is not immutable. Since rancher doesn't allow to change that option after the user creation, we should handle this from the terraform provider.

Solution

Set the must_change_password attribute as immutable after creation.

Testing

Engineering Testing

Manual Testing

Setup a rancher instance from docker:

sudo docker run --privileged -it --rm -p 8080:80 -p 443:443 rancher/rancher

In order to test this new attribute I've used the following terraform script to ensure the new user had this attribute set:

resource "rancher2_user" "testuser" {
  name     = "Test User"
  username = "testuser"
  password = "password12345"
  must_change_password = true
  enabled     = true
}

# Assign global role bindings to the user (optional)
resource "rancher2_global_role_binding" "new_user_role" {
  user_id       = rancher2_user.testuser.id
  global_role_id = "user-base"
}

Once terraform completed its run, you can login with the new created user testuser. Once logged in the UI will show the reset password page.

After that, you can change must_change_password attribute, and verify that terraform needs to destroy the resource in order to set the new value.

Automated Testing

QA Testing Considerations

Regressions Considerations

bigkevmcd commented 1 month ago

This change looks fine to me, following @alegrey91's instructions works too.

Checked against.

https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew

matttrach commented 1 month ago

Based on https://github.com/rancher/rancher/issues/45736#issuecomment-2427609100 I am setting this to ready for release (it appears to have already been checked by QA against v6.0.0-rc2)

This appears to be targeting only Rancher v2.10, which correlates to to our v6

rancher / terraform-provider-rancher2