icx_user - update_password flag not honoured?

[sjwk]

SUMMARY

According to the documentation, icx_user has a field update_password which is either 'always' or 'on_create'.
If set to on_create it should only set the password on creation of the user, but it appears to reset it every time the play is run, generating a new hash and logging that a change has occurred.
From a quick search of the repo, it doesn't look as though there's actually any code that looks at that value, unless it's somewhere outside of the repo itself.

ISSUE TYPE

• Bug Report

COMPONENT NAME

icx_user

ANSIBLE VERSION

ansible [core 2.13.3]
  config file = /usr/local/foo/ansible/ansible.cfg
  configured module search path = ['/home/foo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/foo/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /usr/local/foo/ansible/collections
  executable location = /usr/local/foo/ansible/bin/ansible
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /usr/local/foo/ansible/lib/python3.8/site-packages/ansible_collections
Collection        Version
----------------- -------
community.network 4.0.1

# /usr/local/foo/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.network 5.0.0

CONFIGURATION

ANSIBLE_NOCOWS(/usr/local/foo/ansible/ansible.cfg) = True
COLLECTIONS_PATHS(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/collections']
DEFAULT_DEBUG(env: ANSIBLE_DEBUG) = False
DEFAULT_HOST_LIST(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/hosts']
DEFAULT_KEEP_REMOTE_FILES(env: ANSIBLE_KEEP_REMOTE_FILES) = False
DEFAULT_LOG_PATH(env: ANSIBLE_LOG_PATH) = /home/foo/ansible.log
DEFAULT_REMOTE_USER(/usr/local/foo/ansible/ansible.cfg) = ansdeploy
DEFAULT_ROLES_PATH(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/roles']
HOST_KEY_CHECKING(/usr/local/foo/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/usr/local/foo/ansible/ansible.cfg) = auto

OS / ENVIRONMENT

STEPS TO REPRODUCE

EXPECTED RESULTS

The password not to be reset every time the play is run

ACTUAL RESULTS

Every time the play is run with no changes to the play or variables, it shows a change was made and on checking on the switch, the encoded password has been modified.

SSH@test#sh users
Username                                        Password                           Encrypt   Priv Status   Expire Time
======================================================================================================================
foo                                             $1$aopQ......... enabled   0    enabled  Never

# Run the play again

SSH@test#sh users
Username                                        Password                           Encrypt   Priv Status   Expire Time
======================================================================================================================
foo                                             $1$tYRP........ enabled   0    enabled  Never

[Andersson007]

@sjwk hello, thanks for reporting the issue!

@commscope @sushma-alethea as you mentioned as its maintainers, would you like to take a look?

If anyone else wants to fix it, here's the Quick-start dev guide that can help.
Stuff in this collection needs more maintainers, so if you're interested, feel free to pick things up!
We'd be happy to assist along the way.