ansible-security-automation-collection
ansible-security-automation-collection copied to clipboard
cyberark
No idempotency when using GroupName property with cyberark.pas.cyberark_account
Summary
When creating accounts with a "GroupName" property using the cyberark.pas.cyberark_account module, any subsequent task run on this account is systematically marked as "changed", despite the provided values being the same.
This does not happen with accounts that are not part of a group (no "GroupName" property given).
Steps to Reproduce
Using the cyberark.pas.cyberark_account module, create an account with a "GroupName" property under "platform_account_properties".
Then, run the task again without changing any values.
Expected Results
I expect the task to return as "ok" when no value has actually changed (idempotency).
Actual Results
The task returns as "changed".
In the log of the task below, you can see a GroupName is passed in the module_args, but does not show in the result section, which may be linked to the issue.
changed: [host.domain.tld] => {
"changed": true,
"invocation": {
"module_args": {
"address": "host.domain.tld",
"api_base_url": "********/PasswordVault/api/",
"cyberark_session": {
"api_base_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"validate_certs": true
},
"identified_by": "username,address,platform_id",
"logging_file": "/tmp/cyberark_role_20210621_1041",
"logging_level": "INFO",
"name": "MY_ACCOUNT_NAME",
"new_secret": null,
"platform_account_properties": {
"CustomDescription": "foo",
"CustomIP": "1.2.3.4",
"ExtraPass3Folder": "RECONCILE_FOLDER",
"ExtraPass3Name": "RECONCILE_NAME",
"ExtraPass3Safe": "RECONCILE_SAFE",
"GroupName": "MY_GROUP",
"IP": "1.2.3.4",
"Location": "foo"
},
"platform_id": "MY_PLATFORM",
"remote_machines_access": null,
"safe": "MY_SAFE",
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_management": {
"automatic_management_enabled": true,
"management_action": "change",
"manual_management_reason": null,
"new_secret": null,
"perform_management_action": "on_create"
},
"secret_type": "password",
"state": "present",
"username": "my_account",
"validate_certs": true
}
},
"result": {
"result": {
"address": "host.domain.tld",
"categoryModificationTime": 1624029563,
"createdTime": 1623171048,
"id": "161_2626",
"name": "MY_ACCOUNT_NAME",
"platformAccountProperties": {
"CustomDescription": "foo",
"CustomIP": "1.2.3.4",
"ExtraPass3Folder": "RECONCILE_FOLDER",
"ExtraPass3Name": "RECONCILE_NAME",
"ExtraPass3Safe": "RECONCILE_SAFE",
"Hostname": "HOST",
"IP": "1.2.3.4",
"Location": "foo"
},
"platformId": "MY_PLATFORM",
"safeName": "MY_SAFE",
"secretManagement": {
"automaticManagementEnabled": true,
"lastModifiedTime": 1623946613,
"lastReconciledTime": 1623946649,
"status": "success"
},
"secretType": "password",
"userName": "my_account"
}
},
"status_code": 200
}
Reproducible
- [x] Always
- [ ] Sometimes
- [ ] Non-Reproducible
Version/Tag number
Collection cyberark.pas v1.0.7.
Environment setup
Running in a venv, with ansible v2.9.12 and python v3.6.8.
Additional Information
Add any other context about the problem here.
