Description
Describe the bug
Related to #865, which is for terraform not updating bind_credential.
But the provider seems to upsert the value any time the resource is applied without knowing what the value in keycloak is. E.g. if you change the value of change_synced_period only then apply, it includes bind_credential in that api call but doesn't show it in the plan. This actually caused an outage for us -- the value in keycloak didn't match the value in terraform, so it was updated. But no warning was given in the plan that anything was changing.
This is because the keycloak api only returns a redacted value, which the provider uses to suppress a diff:
>>> pprint(a.get_component('5113dc10-303a-4ec6-9ff8-df01afa2ae25'))
{'config': { # ...
'bindCredential': ['**********'],
}
I realize it's impossible to manage well without keycloak returning e.g. a checksum of the credential, but the current behavior is dangerous.
If possible, don't send bind_credential in the payload for updates to this resource if the value isn't changing from state. If not, I would suggest always showing a plan diff for bind_credential in the plan if the resource is being updated. This is confusing, yes, but could be explained in documentation, and is safer than showing no diff
Version
26.2.1
Expected behavior
A diff is shown in the plan if bind_credential changes or may be changing
Actual behavior
bind_credential may be changed even if the plan doesn't show it
How to Reproduce?
- Apply a
keycloak_ldap_user_federationwithbind_credential - Change the ldap bind password in keycloak
- Make a change to another
keycloak_ldap_user_federationparameter in terraform -- plan shows no change - Apply. The credential in keycloak is changed
Anything else?
No response