Idempotency issue for hashivault_auth_ldap & password non set

[Roxyrob]

Hi, 'hashivault_approle_role' isn't idempotent.

Probably because of non default mount_path

- name: test
  hosts: localhost
  gather_facts: false

  tasks:
    - hashivault_auth_method:
        token: "{{ lookup('env', 'VAULT_TOKEN') }}"
        url: "{{ lookup('env', 'VAULT_ADDR') }}"
        method_type: "ldap"
        mount_point: "ldaptest"

    - hashivault_auth_ldap:
        token: "{{ lookup('env', 'VAULT_TOKEN') }}"
        url: "{{ lookup('env', 'VAULT_ADDR') }}"
        mount_point: "ldaptest"

running playbook multiple times will always return changed 
TASK [hashivault_approle_role] ********************************************************************************************
changed: [localhost]

Strage behaviors here:

1. If I change mount point from ldaptest to standard ldap module report ok on every run also if ldap auth method path does not exist.
2. Also if not idempotent, passing config values seems to correctly config vault ldaptest, but password is not set. Setting same values (with password) with vault cli works fine

[TerryHowe]

This code is very manual at constructing desired and current state. The underlying vault or hvac may have changed also since this was created

https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/ansible/modules/hashivault/hashivault_write.py#L122

[Roxyrob]

Hi @TerryHowe, this issue is about hashivault_auth_ldap not hashivault_write, I'm missing something ?

[emper0r]

@TerryHowe any update about this!?!?

[Roxyrob]

Hi @TerryHowe, my bad for password not set issue, found wrong bind password paramiter name (i erroneously named bindpass instead of bind_pass). Idempotency issue is still present.

[ceesios]

@TerryHowe, I believe this issue is resolved by merging #417 and can be closed.

[TerryHowe]

Thanks, fixed in 5.1 as I recall