iosxe_username cannot update user informations

[dga-nagra]

iosxe_username is not able to update the remote user. (Also, the "description" variable does not work)

Steps to reproduce

Define the provider and a new user:

provider "iosxe" {
  alias = "test"
  devices = [
    {
      name = "test"
      url  = "https://10.11.12.13"
    },
  ]
}

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      = "test_user"
  privilege = 15
  # description         = ""  # Description is not supported
  secret            = "mysuperpassword"
}

Now change the secret value, e.g.:

...

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      = "test_user"
  privilege = 15
  secret            = "my_NEW_superpassword"  # <----------------------------------------------------
}

If I run terraform with TF_LOG=DEBUG terraform apply -auto-approve, I will see:

2024/02/21 10:45:20 [DEBUG] HTTP Request: PATCH, https://10.11.12.13/restconf/data/Cisco-IOS-XE-native:native/username, {{"Cisco-IOS-XE-native:username":{"name":"test_user","privilege":"15","secret":{"secret":"my_NEW_superpassword"}}}}
2024/02/21 10:45:22 [DEBUG] HTTP Response: {
  "errors": {
    "error": [
      {
        "error-message": "inconsistent value: Device refused one or more commands",
        "error-path": "/Cisco-IOS-XE-native:native/username",
        "error-tag": "invalid-value",
        "error-type": "application"
      }
    ]
  }
}

Workaround

We can force to replace the user instead of updating him using lifecycle:replace_triggered_by and lifecycle:ignore_changes meta-arguments but this is still not optimal

locals {
    username = "test_user"
}

resource "null_resource" "local_admin_replace_trigger" {
  triggers = {
    username = local.username
    password = module.password.result
  }
}

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      =  local.username
  privilege = 15
  secret            = "mysuperpassword"  
  lifecycle {
    ignore_changes = all
    replace_triggered_by = [      # <----------------------------------------------------
      aws_secretsmanager_secret_version.this.secret_string
    ]
  }
}

Especially, replace_triggered_by meta-argument only allows resources/count/each sources, meaning we cannot use a variable inside of it. ignore_changes is required because, with state refreshing, the secret on the device is not the same as provided unencrypted because the value; the value in the configuration is not encrypted, while the value on the remote is. This means that, even if the secret does not change, terraform will think there is a change

NOTE: In this workaround, I first only used the password as a trigger, but for an unknown reason, terraform always think that the username changed as well, therefore I also must ensure that the username triggers a replacement

Cisco version

Nb: This bug was confirmed with one specific version, but it may also impact others

#show version
Cisco IOS XE Software, Version 16.12.07
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.7, RELEASE SOFTWARE (fc2)

Additional information

• The first creation of the user work even if the user already exists on the device prior to terraform execution. I therefore think there is an issue with the "PATCH" requrest

[dga-nagra]

Hi @danischm, I saw that you are the most active contributor and that you approved PR.
I am wondering if you could confirm this issue and if there are any plan on fixing it ?

Nb: If needed, I may contribute.
Thank you for your response

[danischm]

I need to further investigate this..