remove secret crypted by terraform on junos_system_tacplus_server

[lotusnoir]

hello,

on resource "junos_system_tacplus_server" there is the variable "secret (Optional, String, Sensitive)" that has to be plain text password in order to be crypted by terraform. Because i dont wanna have the clear password in the configuration code but directly the crypted one, is it possible to add an option to choose it we want it converted by terraform or not ?

like you do for resource "junos_system_root_authentication with

encrypted_password
plain_text_password

Thanks in advance

[jeremmfr]

Hi 👋

The provider doesn't encrypt plain text secrets, but Junos device encrypts plain text secrets with an obfuscation algorithm, which is easily reversible.
The provider sets secrets without any modification on the value from Terraform config, but when reading secrets on Junos device to refresh the resource state, it decodes it to avoid drift between the secret in the config and the secret in the state.

With the current version of the provider, if you add an encrypted secret to the attribute in the config, it will be correctly added. Still, a refresh of the resource will detect a drift between the attribute in the config and the attribute in the state.

Passwords of system users (root and other user) are encrypted with a different algorithm which is not reversible, so there is two options on the corresponding resources (junos_system_root_authentication, junos_system_login_user, junos_snmp_v3_usm_user) in the provider.

So for your needs, I'll take care of adding an option to the provider to disable automatic decoding of secrets. So you will be able to add encrypted secrets without causing an attribute drift.