-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
only update the password if it has changed #2263
only update the password if it has changed #2263
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
accidentally commented
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @kung-foo,
Thank you for fixing this, the change LGTM however I would like to see acceptance tests for this to make sure of two things:
- changes to the password in terraform are still persisted
- that if the password is changed outside terraform it is not overwritten
I would suggest using the standard GO db library to connect to the DB and confirm the password / change it.
Let me know if you would like any more details or help writing the tests 🙂
looked into this but this isn't so easy due to DNS replication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks for this @kung-foo
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
When updating an
azurerm_sql_server
resource, all of the properties are pushed to the Azure API, even if nothing has changed.This PR addresses only the
administrator_login_password
field, and not any other fields.Motivation: When creating an
azurerm_sql_server
instance, the API requires setting a new password. But this means it is both in source code and the state file. So our approach is to set it to something random, and then later, in a separate process (e.g. using data from Key Vault) set it to something secure. The problem comes when something else changes on the resource the results in an update (e.g. adding a tag). The existing random password is then sent along with the update.I am not 100% sure this won't introduce a different bug since the read API doesn't return the password. So I am not sure how the diff routine works in that case. Meaning usually terraform will complain if you change something server side, but in this case, terraform has no way of knowing if it has changed.