terraform-provider-digitalocean
terraform-provider-digitalocean copied to clipboard
Imported MongoDB digitalocean_database_user password not exported
Hi, I'm using the version 2.19.0 and it seems that this issue is back: https://github.com/digitalocean/terraform-provider-digitalocean/pull/697 when importing an already existing user. So far i'm unable to get the password value. Maybe have something to do with this fix: https://github.com/digitalocean/terraform-provider-digitalocean/issues/812.
the resources creation:
resource "digitalocean_database_user" "database_user" {
count = var.deployment_environment == "production" ? 1 : 0
cluster_id = digitalocean_database_cluster.mongodb-production[0].id
name = "user-${var.project_name}"
}
Snippet of tf state
{
"mode": "managed",
"type": "digitalocean_database_user",
"name": "database_user",
"provider": "provider[\"registry.terraform.io/digitalocean/digitalocean\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"cluster_id": "ae22bd23-d7ac-4b6f-a7d3-826a705e469a",
"id": "ae22bd23-d7ac-4b6f-a7d3-826a705e469a/user/user-xxx",
"mysql_auth_plugin": null,
"name": "user-xxx",
"password": null,
"role": "normal"
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ==",
"dependencies": [
"digitalocean_database_cluster.mongodb-production"
]
}
]
}
Thanks in advance...
Hi there,
Thank you for this write up. The PRs and Github issue's you included were specific to creating new users. We don't currently support importing already existing users, only creating new ones. We will have to look into documenting this somewhere. Apologies for the inconvenience.
To add a bit more context here, MongoDB user passwords are only ever shown when the user is created. In the control panel the password is not available on subsequent views nor is it available in GET responses in the API. It is only ever returned in the POST response creating the user or resting the password. So the Terraform provider is not currently able to support importing MongoDB users with their password. We could potentially reset the password on import, but that would likely be very surprising and could lead to breakage. Perhaps we can add a way to explicitly opt-in to that behavior.