Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Intersight Provider 1.0.54 - resource intersight_storage_drive_security_policy - Plan not accounting for sensitive values #286

Open
3 tasks done
scotttyso opened this issue Sep 7, 2024 · 0 comments
Open
3 tasks done

[ISSUE] Intersight Provider 1.0.54 - resource intersight_storage_drive_security_policy - Plan not accounting for sensitive values #286

scotttyso opened this issue Sep 7, 2024 · 0 comments

Comments

@scotttyso
Copy link

scotttyso commented Sep 7, 2024
edited
Loading

Bug Report Checklist

  • Have you provided a full/minimal configuration to reproduce the issue?
  • Have you [tested with the latest master] to confirm the issue still exists?
  • Have you provided the terraform console logs with environment variable set to TF_LOG=trace?
Description

When running a plan/apply with intersight_storage_drive_security_policy sensitive values cause a plan to view the sensitive values as an update. This doesn't happen with other policies like local user policy.

Terraform-provider-intersight version

1.0.54

Configuration file
resource "intersight_storage_drive_security_policy" "map" {
  description = "default"
  key_setting {
    key_type = "Kmip"
    remote_key {
      auth_credentials {
        password           = (sensitive value)
        use_authentication = true
        username           = "kmip_user"
      }
      existing_key        = (sensitive value)
      primary_server {
        enable_drive_security = true
        ip_address            = "kmip-primary.example.com"
        port                  = 5696
        timeout               = 60
      }
      secondary_server {
        enable_drive_security = true
        ip_address            = "kmip-secondary.example.com"
        port                  = 5696
        timeout               = 60
      }
      server_certificate = (sensitive value)
    }
  }
  name = "default"
  organization {
    moid = "5ddea1e16972652d32b6493a"

  }
}
Actual output (Attach screenshots if applicable)
tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfp
data.utils_yaml_merge.model: Reading...
data.utils_yaml_merge.model: Read complete after 0s [id=c19f636f4e52728c94d8901ef46cd4c9c78b8ed1]
module.organizations["map"].data.intersight_organization_organization.map["default"]: Reading...
module.policies["map"].data.intersight_iam_account.account: Reading...
module.policies["map"].data.intersight_iam_account.account: Read complete after 0s [id=5981bd053e95200001fd5632]
module.organizations["map"].data.intersight_organization_organization.map["default"]: Read complete after 0s [id=5ddea1e16972652d32b6493a]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Reading...
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Read complete after 1s [id=59684dcb5e468000016525c8]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"] will be created
  + resource "intersight_iam_end_point_user" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "iam.EndPointUser"
      + create_time          = (known after apply)
      + domain_group_moid    = (known after apply)
      + end_point_user_role  = (known after apply)
      + id                   = (known after apply)
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "admin"
      + object_type          = "iam.EndPointUser"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + permission_resources = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = (known after apply)
      + version_context      = (known after apply)
    }

  # module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"] will be created
  + resource "intersight_iam_end_point_user_policy" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "iam.EndPointUserPolicy"
      + create_time          = (known after apply)
      + description          = "default"
      + domain_group_moid    = (known after apply)
      + end_point_user_roles = (known after apply)
      + id                   = (known after apply)
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "default"
      + object_type          = "iam.EndPointUserPolicy"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + password_properties  = [
          + {
              + class_id                 = "iam.EndPointPasswordProperties"
              + enable_password_expiry   = false
              + enforce_strong_password  = true
              + force_send_password      = false
              + grace_period             = 0
              + notification_period      = 15
              + object_type              = "iam.EndPointPasswordProperties"
              + password_expiry_duration = 90
              + password_history         = 0
            },
        ]
      + permission_resources = (known after apply)
      + profiles             = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = [
          + {
              + key   = "Module"
              + value = "easy-imm"
            },
          + {
              + key   = "Version"
              + value = "4.2.11-17769"
            },
        ]
      + version_context      = (known after apply)
    }

  # module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"] will be created
  + resource "intersight_iam_end_point_user_role" "map" {
      + account_moid          = (known after apply)
      + ancestors             = (known after apply)
      + change_password       = (known after apply)
      + class_id              = "iam.EndPointUserRole"
      + create_time           = (known after apply)
      + domain_group_moid     = (known after apply)
      + enabled               = true
      + end_point_role        = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "59684dcb5e468000016525c8"
              + object_type = "iam.EndPointRole"
            },
        ]
      + end_point_user        = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = (known after apply)
              + object_type = "iam.EndPointUser"
            },
        ]
      + end_point_user_policy = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = (known after apply)
              + object_type = "iam.EndPointUserPolicy"
            },
        ]
      + id                    = (known after apply)
      + is_password_set       = (known after apply)
      + mod_time              = (known after apply)
      + moid                  = (known after apply)
      + object_type           = "iam.EndPointUserRole"
      + owners                = (known after apply)
      + parent                = (known after apply)
      + password              = (sensitive value)
      + permission_resources  = (known after apply)
      + shared_scope          = (known after apply)
      + tags                  = (known after apply)
      + version_context       = (known after apply)
    }

  # module.policies["map"].intersight_storage_drive_security_policy.map["default/default"] will be created
  + resource "intersight_storage_drive_security_policy" "map" {
      + account_moid         = (known after apply)
      + ancestors            = (known after apply)
      + class_id             = "storage.DriveSecurityPolicy"
      + create_time          = (known after apply)
      + description          = "default"
      + domain_group_moid    = (known after apply)
      + id                   = (known after apply)
      + key_setting          = [
          + {
              + class_id    = "storage.KeySetting"
              + key_type    = "Kmip"
              + manual_key  = (known after apply)
              + object_type = "storage.KeySetting"
              + remote_key  = [
                  + {
                      + auth_credentials    = [
                          + {
                              + class_id           = "storage.KmipAuthCredentials"
                              + is_password_set    = (known after apply)
                              + object_type        = "storage.KmipAuthCredentials"
                              + password           = (sensitive value)
                              + use_authentication = true
                              + username           = "kmip_user"
                            },
                        ]
                      + class_id            = "storage.RemoteKeySetting"
                      + existing_key        = (sensitive value)
                      + is_existing_key_set = (known after apply)
                      + object_type         = "storage.RemoteKeySetting"
                      + primary_server      = [
                          + {
                              + class_id              = "storage.KmipServer"
                              + enable_drive_security = true
                              + ip_address            = "kmip-primary.example.com"
                              + object_type           = "storage.KmipServer"
                              + port                  = 5696
                              + timeout               = 60
                            },
                        ]
                      + secondary_server    = [
                          + {
                              + class_id              = "storage.KmipServer"
                              + enable_drive_security = true
                              + ip_address            = "kmip-secondary.example.com"
                              + object_type           = "storage.KmipServer"
                              + port                  = 5696
                              + timeout               = 60
                            },
                        ]
                      + server_certificate  = (sensitive value)
                    },
                ]
            },
        ]
      + mod_time             = (known after apply)
      + moid                 = (known after apply)
      + name                 = "default"
      + object_type          = "storage.DriveSecurityPolicy"
      + organization         = [
          + {
              + class_id    = "mo.MoRef"
              + moid        = "5ddea1e16972652d32b6493a"
              + object_type = (known after apply)
            },
        ]
      + owners               = (known after apply)
      + parent               = (known after apply)
      + permission_resources = (known after apply)
      + profiles             = (known after apply)
      + shared_scope         = (known after apply)
      + tags                 = [
          + {
              + key   = "Module"
              + value = "easy-imm"
            },
          + {
              + key   = "Version"
              + value = "4.2.11-17769"
            },
        ]
      + version_context      = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: main.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "main.plan"
tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfa
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Creating...
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Creating...
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Creation complete after 0s [id=66dcd7ac6275723101b96762]
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Creating...
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Creation complete after 1s [id=66dcd7ac6275723101b96840]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Creating...
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Creation complete after 1s [id=66dcd7ac656f6e3101459d1c]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Creation complete after 0s [id=66dcd7ad6275723101b9688e]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Notice on the subsequent plan that the local user policy is not showing a change with the sensitive password, whereas the drive security policy is.

tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$ tfp
data.utils_yaml_merge.model: Reading...
data.utils_yaml_merge.model: Read complete after 0s [id=c19f636f4e52728c94d8901ef46cd4c9c78b8ed1]
module.policies["map"].data.intersight_iam_account.account: Reading...
module.organizations["map"].data.intersight_organization_organization.map["default"]: Reading...
module.organizations["map"].data.intersight_organization_organization.map["default"]: Read complete after 1s [id=5ddea1e16972652d32b6493a]
module.policies["map"].data.intersight_iam_account.account: Read complete after 1s [id=5981bd053e95200001fd5632]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Reading...
module.policies["map"].intersight_iam_end_point_user_policy.map["default/default"]: Refreshing state... [id=66dcd7ac6275723101b96762]
module.policies["map"].intersight_storage_drive_security_policy.map["default/default"]: Refreshing state... [id=66dcd7ac656f6e3101459d1c]
module.policies["map"].intersight_iam_end_point_user.map["default/default/admin"]: Refreshing state... [id=66dcd7ac6275723101b96840]
module.policies["map"].data.intersight_iam_end_point_role.map["admin"]: Read complete after 0s [id=59684dcb5e468000016525c8]
module.policies["map"].intersight_iam_end_point_user_role.map["default/default/admin"]: Refreshing state... [id=66dcd7ad6275723101b9688e]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.policies["map"].intersight_storage_drive_security_policy.map["default/default"] will be updated in-place
  ~ resource "intersight_storage_drive_security_policy" "map" {
        id                    = "66dcd7ac656f6e3101459d1c"
      ~ key_setting           = [
          ~ {
              ~ remote_key            = [
                  ~ {
                      ~ auth_credentials      = [
                          ~ {
                              + password              = (sensitive value)
                                # (6 unchanged attributes hidden)
                            },
                        ]
                      + existing_key          = (sensitive value)
                        # (7 unchanged attributes hidden)
                    },
                ]
                # (5 unchanged attributes hidden)
            },
        ]
        name                  = "default"
        tags                  = [
            {
                additional_properties = null
                key                   = "Module"
                value                 = "easy-imm"
            },
            {
                additional_properties = null
                key                   = "Version"
                value                 = "4.2.11-17769"
            },
        ]
        # (17 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: main.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "main.plan"
tyscott@TYSCOTT-DESKTOP:~/terraform-cisco-modules/easy-imm/QA/drive_security$
Related issues/PRs
Suggest a fix

Provider should not require an update on subsequent plans to sensitive values unless it has changed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scotttyso