only update the password if it has changed #2263
Conversation
There was a problem hiding this comment.
Hi @kung-foo,
Thank you for fixing this, the change LGTM however I would like to see acceptance tests for this to make sure of two things:
- changes to the password in terraform are still persisted
- that if the password is changed outside terraform it is not overwritten
I would suggest using the standard GO db library to connect to the DB and confirm the password / change it.
Let me know if you would like any more details or help writing the tests 🙂
|
I've taken a quick look into writing some tests for this and that approach seems more complicated than we first thought - as such I'm going to suggest we skip that for the moment. Tests pass:
|
tombuildsstuff
dismissed
katbyte’s stale review
looked into this but this isn't so easy due to DNS replication
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
When updating an
azurerm_sql_serverresource, all of the properties are pushed to the Azure API, even if nothing has changed.This PR addresses only the
administrator_login_passwordfield, and not any other fields.Motivation: When creating an
azurerm_sql_serverinstance, the API requires setting a new password. But this means it is both in source code and the state file. So our approach is to set it to something random, and then later, in a separate process (e.g. using data from Key Vault) set it to something secure. The problem comes when something else changes on the resource the results in an update (e.g. adding a tag). The existing random password is then sent along with the update.I am not 100% sure this won't introduce a different bug since the read API doesn't return the password. So I am not sure how the diff routine works in that case. Meaning usually terraform will complain if you change something server side, but in this case, terraform has no way of knowing if it has changed.