Open FranckSallet opened 3 months ago
Hello @FranckSallet, this is a normal behaviour of Terraform. Between what is in state and the reality there is differences so the recreation is done.
One way to overcome those kind of event is to use the lifecycle meta-data with an ignore-changes or you can use the import capacity before doing the apply.
I will do some testing around it.
For the Feature request, could you create a new issue as a Feature Request with a bit more of information of what you want to achieve by that.
Best regards,
Hello @bsimonWallix Thank you for the answer. I tested the proposal and it works well. I use lifecycle on password parameter. It's quite confusing because you can use the global account as a simple target account, but in my case it is used to manage the password of an active directory account. Greetings
I'm reopening the case because there is indeed a bug. After several tests I see that the "wallix-bastion_domain_account_credential" resource is completely recreated even if I only changed the password from the GUI.
I don't understand how to bypass this with the lifecycle meta-argument
below the terraform plan after a password reset through the GUI:
# wallix-bastion_domain_account_credential.mapped_account_cred["fsallet"] will be created
+ resource "wallix-bastion_domain_account_credential" "mapped_account_cred" {
+ account_id = "ecr.fsallet"
+ domain_id = "domain.local"
+ id = (known after apply)
+ password = (sensitive value)
+ public_key = (known after apply)
+ type = "password"
}
below tf config:
resource "wallix-bastion_domain_account_credential" "pwd_reset_account_cred" {
count = var.customer_mapping_domain != null ? 1 : 0
domain_id = var.customer_mapping_domain
account_id = var.pwd_reset_account_login
type = "password"
password = var.pwd_reset_account_pwd
lifecycle {
ignore_changes = [
password
]
}
}
Regards
Hi @FranckSallet,
I can't reproduce the issue with or without the lifecycle meta-data.
We don't refresh password, passphrase and privatekey fields.
Maybe this is due to the count.
Are you doing a loop on a list of accounts ?
If the list order change this can explain the recreation of the ressource.
Hi @bsimonWallix
I just figured out where the bug comes from.
You are rigth, we can change the password of a "wallix-bastion_domain_account_credential" resource from the GUI with no impact on the terraform. But if you enable "propagate credential change", the resource "wallix-bastion_domain_account_credential" is deleted and terraform terraform will try to recreate it.
Regards
Hi @bsimonWallix
Were you able to reproduce the problem ? Have you been able to make progress about this case ?
Regards, Franck
Hello, we reproduce the behaviour. Currently it's lacking API endpoint to leverage it. We are looking on how to manage that but nothing yet.
Best Regards,
Describe the bug When we reset a password on a global account, the "wallix-bastion_domain_account_credential" resource associated with it is deleted and is therefore recreated on the next "terraform apply"
To Reproduce Steps to reproduce the behavior:
Expected behavior we need to be able to change a password on a global account without the resource "wallix-bastion_domain_account_credential" being affected. not to mention the password policy and the password checkin/checkout...
Feature Request it would be necessary to be able to propagate the password when creating the resource "wallix-bastion_domain_account_credential"
thanks for the support