[ BUG ] - wallix-bastion_domain_account_credential

[FranckSallet]

Describe the bug When we reset a password on a global account, the "wallix-bastion_domain_account_credential" resource associated with it is deleted and is therefore recreated on the next "terraform apply"

To Reproduce Steps to reproduce the behavior:

1. create a "wallix-bastion_domain_account" and a "wallix-bastion_domain_account_credential" with terraform
2. change the password through the web interface
3. run a "terraform apply", the resource "wallix-bastion_domain_account_credential" will be recreated

Expected behavior we need to be able to change a password on a global account without the resource "wallix-bastion_domain_account_credential" being affected. not to mention the password policy and the password checkin/checkout...

Feature Request it would be necessary to be able to propagate the password when creating the resource "wallix-bastion_domain_account_credential"

thanks for the support

[bsimonWallix]

Hello @FranckSallet, this is a normal behaviour of Terraform. Between what is in state and the reality there is differences so the recreation is done.

One way to overcome those kind of event is to use the lifecycle meta-data with an ignore-changes or you can use the import capacity before doing the apply.

I will do some testing around it.

For the Feature request, could you create a new issue as a Feature Request with a bit more of information of what you want to achieve by that.

Best regards,

[FranckSallet]

Hello @bsimonWallix Thank you for the answer. I tested the proposal and it works well. I use lifecycle on password parameter. It's quite confusing because you can use the global account as a simple target account, but in my case it is used to manage the password of an active directory account. Greetings

[FranckSallet]

I'm reopening the case because there is indeed a bug. After several tests I see that the "wallix-bastion_domain_account_credential" resource is completely recreated even if I only changed the password from the GUI.

I don't understand how to bypass this with the lifecycle meta-argument

below the terraform plan after a password reset through the GUI:

  # wallix-bastion_domain_account_credential.mapped_account_cred["fsallet"] will be created
  + resource "wallix-bastion_domain_account_credential" "mapped_account_cred" {
      + account_id = "ecr.fsallet"
      + domain_id  = "domain.local"
      + id         = (known after apply)
      + password   = (sensitive value)
      + public_key = (known after apply)
      + type       = "password"
    }

below tf config:

resource "wallix-bastion_domain_account_credential" "pwd_reset_account_cred" {
  count       = var.customer_mapping_domain != null ? 1 : 0
  domain_id   = var.customer_mapping_domain
  account_id  = var.pwd_reset_account_login
  type        = "password"
  password    = var.pwd_reset_account_pwd
  lifecycle {
    ignore_changes = [
      password
    ]
  }
}

Regards

[bsimonWallix]

Hi @FranckSallet,

I can't reproduce the issue with or without the lifecycle meta-data.

We don't refresh password, passphrase and privatekey fields.

• passphrase (Optional, String, Sensitive, Value can't refresh) The passphrase for the private key (only for an encrypted private key).
• password (Optional, String, Sensitive, Value can't refresh) The account password.
• private_key (Optional, String, Sensitive, Value can't refresh, Forces new resource) The account private key.

Maybe this is due to the count.

Are you doing a loop on a list of accounts ?

If the list order change this can explain the recreation of the ressource.

[FranckSallet]

Hi @bsimonWallix

I just figured out where the bug comes from.

You are rigth, we can change the password of a "wallix-bastion_domain_account_credential" resource from the GUI with no impact on the terraform. But if you enable "propagate credential change", the resource "wallix-bastion_domain_account_credential" is deleted and terraform terraform will try to recreate it.

Regards

[FranckSallet]

Hi @bsimonWallix

Were you able to reproduce the problem ? Have you been able to make progress about this case ?

Regards, Franck

[bsimonWallix]

Hello, we reproduce the behaviour. Currently it's lacking API endpoint to leverage it. We are looking on how to manage that but nothing yet.

Best Regards,