Dont allow password change via tf apply

CHANGELOG.md

@@ -1,6 +1,18 @@
+## 1.0.0 (Unreleased)
+
+We are bumping the version of the Boundary Terraform provider to v1.0.0 and will release new versions of the provider at its own cadence instead of keeping it in lockstep with Boundary.
+
+### Bug Fixes
+
+* During `terraform apply`, do not update existing user account passwords when the password field is updated in the tf file.
+  ([Issue](https://github.com/hashicorp/terraform-provider-boundary/issues/71))
+  ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/70))
+
 ## 0.1.4 (January 14, 2021)
 
-Boundary 0.1.4 release ([see boundary changelog](https://github.com/hashicorp/boundary/blob/main/CHANGELOG.md#014-20210105))
+### New and Improved
+
+Update to the Boundary Go SDK v0.0.3
 
 ## 0.1.0 (October 14, 2020)
 

docs/resources/account.md

@@ -47,7 +47,7 @@ resource "boundary_account" "jeff" {
 - **description** (String) The account description.
 - **login_name** (String) The login name for this account.
 - **name** (String) The account name. Defaults to the resource name.
-- **password** (String) The account password.
+- **password** (String) The account password. Only set on create, changes will not be reflected when updating account.
 
 ### Read-only
 

internal/provider/resource_account.go

@@ -62,9 +62,16 @@ func resourceAccount() *schema.Resource {
 				Optional:    true,
 			},
 			accountPasswordKey: {
-				Description: "The account password.",
+				Description: "The account password. Only set on create, changes will not be reflected when updating account.",
 				Type:        schema.TypeString,
 				Optional:    true,
+				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+					if d.Id() == "" {
+						// This is a new resource do not suppress password diff
+						return false
+					}
+					return true
+				},
 			},
 		},
 	}
@@ -222,22 +229,6 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 		}
 	}
 
-	var password *string
-	if d.HasChange(accountPasswordKey) {
-		switch d.Get(TypeKey).(string) {
-		case accountTypePassword:
-			opts = append(opts, accounts.DefaultPasswordAccountPassword())
-			keyVal, ok := d.GetOk(accountPasswordKey)
-			if ok {
-				keyStr := keyVal.(string)
-				password = &keyStr
-				opts = append(opts, accounts.WithPasswordAccountPassword(keyStr))
-			}
-		default:
-			return diag.Errorf(`"password" cannot be used with this type of account`)
-		}
-	}
-
 	if len(opts) > 0 {
 		opts = append(opts, accounts.WithAutomaticVersioning(true))
 		_, err := aClient.Update(ctx, d.Id(), 0, opts...)
@@ -255,9 +246,6 @@ func resourceAccountUpdate(ctx context.Context, d *schema.ResourceData, meta int
 	if d.HasChange(accountLoginNameKey) {
 		d.Set(accountLoginNameKey, loginName)
 	}
-	if d.HasChange(accountPasswordKey) {
-		d.Set(accountPasswordKey, password)
-	}
 
 	return nil
 }