Lifecycle ignore_changes for password is not ignored and breaks the replication password resulting in the 401 Unauthorized

[MyKEms]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• 0.12.24
• 0.12.29

Affected Resource(s)

• artifactory_replication_config

Terraform Configuration Files

resource "artifactory_replication_config" "npm-test" {
  repo_key                 = artifactory_local_repository.npm-test.key
  cron_exp                 = "0 0 6,23 ? * * *"
  enable_event_replication = false

  replications {
    enabled               = true
    socket_timeout_millis = 15000
    sync_deletes          = true
    sync_properties       = true
    sync_statistics       = true
    url                   = "https://art-instance.com/artifactory/npm-test/"
    username              = "username"
  }

  lifecycle {
    ignore_changes = [
      replications.0.password
    ]
  }

}

Debug Output

Gist link

Panic Output

Expected Behavior

• If artifactory_replication_config has defined:

  lifecycle {
    ignore_changes = [
      replications.0.password
    ]
  }

• Password should be never updated.

Actual Behavior

• If you don't use decrypted passwords in the artifactory and you specify to ignore password with:

  lifecycle {
    ignore_changes = [
      replications.0.password
    ]
  }

• Then you will modify replication (in this case just enable from disabled state) and apply via terraform:

# artifactory_replication_config.npm-test will be updated in-place
  ~ resource "artifactory_replication_config" "npm-test" {
        cron_exp                 = "0 0 6,23 ? * * *"
        enable_event_replication = false
        id                       = "npm-test"
        repo_key                 = "npm-test"

      ~ replications {
          ~ enabled               = false -> true
            password              = (sensitive value)
            socket_timeout_millis = 15000
            sync_deletes          = true
            sync_properties       = true
            sync_statistics       = true
            url                   = "https://art-instance.com/artifactory/npm-test/"
            username              = "username"
        }
    }

• Replication will be set according to the terraform plan but password will be also set with random hashed value. By this replication will stop to work with Connection failed: Target replication URL returned error 401: Unauthorized

Steps to Reproduce

1. Define artifactory_local_repository + artifactory_replication_config with the ignore_changes for the password.
2. terraform apply
3. Check the replication settings in the artifactory and hit the test button - you will receive 401: Unauthorized

Important Factoids

• This could be related to the lifecycle / ignore_changes blocking upgrade from 0.11 to 0.12 hashicorp/terraform#21433
• Lifecycle configuration in this repository is invalid for 0.12.X. Needs to be used ignore_changes = [replications.0.password] instead of ignore_changes = ["password"]

References

• lifecycle / ignore_changes blocking upgrade from 0.11 to 0.12 hashicorp/terraform#21433
• core: Fix handling of individual map keys in ignore_changes hashicorp/terraform#21788

[peters95]

Migrated -> jfrog/terraform-provider-artifactory#20

[chb0github]

I have updated the new ticket and this one can be closed @MyKEms