r/credential once_only option doesn't work

[insidepacket]

Code of Conduct

• I have read and agree to the Code of Conduct.
• Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• Do not leave "+1" or other comments that do not add relevant information or questions.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Terraform

v.1.9.4

Terraform Provider

v0.10.0

VMware Cloud Foundation

5

Description

The once_only option for credential resources is not functioning as expected. When set to false, Terraform fails to update or rotate credentials after the initial run unless the resource itself is modified. Conversely, when set to true, Terraform still performs credential update/rotate operations at any time when there is a change with the credential resource. In essence, the once_only option appears to be disregarded by Terraform.

Affected Resources or Data Sources

r/credentials

Terraform Configuration

https://gist.github.com/insidepacket/7243154cc5fd0b34ab604b42597f5677

Debug Output

https://gist.github.com/insidepacket/99309ecfda35a8894afdbd3bd7c854dc

Panic Output

https://gist.github.com/insidepacket/99309ecfda35a8894afdbd3bd7c854dc

Expected Behavior

The once_only option is weird. We possibly remove it in the coming version.

Actual Behavior

When set to false, Terraform fails to update or rotate credentials after the initial run unless the resource itself is modified. Conversely, when set to true, Terraform still performs credential update/rotate operations at any time when there is a change with the credential resource. In essence, the once_only option appears to be disregarded by Terraform.

Steps to Reproduce

1. create the template with once_only option set true or false for credential update/rotate.
2. terraform apply

Environment Details

No response

Screenshots

No response

References

No response

[insidepacket]

I conducted a further check. Terraform ignored the once_only value when it was set to false: Terraform even did not attempt to call the backend function. In my opinion, @tenthirtyam, we should remove the option. Could I get your thoughts on this

[insidepacket]

The current behaviour is:

If once_only = true and we have run terraform apply at least once, no credential rotation operation will occur, regardless of changes to the vcf_credentials_rotate resource.

If once_only = false, credentials will be rotated when the vcf_credentials_rotate resource is changed. If there are no changes to the vcf_credentials_rotate resource in the Terraform template, no credential rotation operation will occur.

IMHO, the behaviour of using once_only = false is aligned with the declarative nature. On the contrary, once_only seems to break the idempotence principle of IaC.

Also, if customers would like to enforce the rotation policy (rotating their password every 90 days), they can use the following to achieve their objective:

resource "vcf_credentials_rotate" "rotate" {
  for_each = local.credentials_map

  resource_name = each.value.resource_name
  resource_type = each.value.resource_type
  once_only     = true
  credentials {
    credential_type = each.value.credential_type
    user_name       = each.value.user_name
  }
  lifecycle {
    replace_triggered_by = [
      time_static.rotate
    ]
  }
}

@tenthirtyam, @spacegospod, would we considering remove the option in the future release?