Modules that take password are not idempotent in --check mode

[kk-at-redhat]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX is open source software provided for free and that I might not receive a timely response.
• I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

User and Credential modules show "changed" in --check mode when password field is specified, even with update_secrets set to false.

AWX version

23.2.0

Select the relevant components

• UI
• UI (tech preview)
• API
• Docs
• Collection
• CLI
• Other

Installation method

docker development environment

Modifications

no

Ansible version

2.14.2

Operating system

Red Hat Enterprise Linux release 9.1 (Plow)

Web browser

Chrome

Steps to reproduce

test_bugs.yml

    - ansible.controller.user:
        username: 'A'
        password: 'pass'
        update_secrets: false

    - ansible.controller.credential:
        name: 'Machine A'
        credential_type: 'Machine'
        update_secrets: false
        inputs: {'password': '', 'username': 'AAA'}

    - ansible.controller.user:
        username: 'A'

    - ansible.controller.credential:
        name: 'Machine A'
        credential_type: 'Machine'
        inputs: {'username': 'AAA'}

ansible-playbook test_bugs.yml

ansible-playbook test_bugs.yml --check

Expected results

ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...

ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...

Actual results

ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...

changed: [localhost] ...
changed: [localhost] ...
ok: [localhost] ...
ok: [localhost] ...

Additional information

No response

[thedoubl3j]

so the modules are working correctly, but how we are interpreting check mode output/results is not correct @kk-at-redhat am I reading that correctly?

[kk-at-redhat]

I'm not sure I follow the question.

Without password field, Ansible detects that all the fields are the same and reports "OK" in check and real mode. That's expected.

When password field is specified, Ansible has no way of knowing if the password changed or not, so it may report a change, I can accept that. However with update_secrets set to false, considering all the other fields haven't changed, we should see "OK" in any mode.

Provided output shows that with password field and update_secrets set to false, Ansible reports "OK" in real mode but "Changed" in check mode. Why is that? It doesn't make any sense.