Solved: Terraform - iosxe provider - WLAN psk problems

hexabyte8 · ‎10-30-2025

Hello all,

I am working on utilizing Terraform to manage our 9800 WLCs.

So far everything with the ios-xe provider has worked well, though for most of our wireless settings, we have to use the restconf module from the provider to accomplish the intended management of resources.

A wall we've hit is with WLANs that require a psk.

When we go to apply the configuration, the WLC automatically sets the plain text password to AES encrypted, which of course is the intended functionality with PSKs.

This causes a problem for terraform though, as when we go to apply a different change, now the WLC responds with the AES encrypted string, while Terraform is expecting the plain text password.

Has anyone run into this? What solutions do you have? I'm pasting the pseudo-code below and am open to suggestions.

resource "iosxe_restconf" "wlan-config" {
  path     = "Cisco-IOS-XE-wireless-wlan-cfg:wlan-cfg-data/wlan-cfg-entries"
  for_each = toset([for wlc in local.wlcs : wlc.name])
  device   = each.key
  lists = [{
    name = "wlan-cfg-entry"
    key  = "profile-name"
    items = [
      {
        "profile-name"                   = "test-wlan"
        "wlan-id"                        = 1
        "wep-key-index"                  = 1
        "auth-key-mgmt-psk"              = true
        "auth-key-mgmt-dot1x"            = false
        "security-wpa"                   = true
        "psk"                            = "mypasswordhere"
        "psk-type"                       = "clear"
        "psk-key-type"                   = "key-ascii"
        "wpa2-enabled"                   = true
        "wpa2-aes"                       = true
        "mac-filtering-list"             = "default"
        "authentication-list"            = "default"
        "apf-vap-id-data/broadcast-ssid" = false
        "apf-vap-id-data/ccx-aironet-ie" = true
        "apf-vap-id-data/ssid"           = "test-wlan"

      }
    ]
  }]
}

bigevilbeard · ‎11-03-2025

I saw this type off issue before, the best practice suggests to tell TF to ignore changes to the PSK field after initial creation, however if you do need to change this TF will not detect the change because it is now configured to ignore it.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎11-03-2025

I saw this type off issue before, the best practice suggests to tell TF to ignore changes to the PSK field after initial creation, however if you do need to change this TF will not detect the change because it is now configured to ignore it.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

hexabyte8 · ‎11-03-2025

Do you happen to have the link where this is described as best practice? It's interesting I haven't seen a better way to handle this situation other than what you've described.

bigevilbeard · ‎11-03-2025

Mostly here https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle under the ignore changes part i guess is the best method to handle this sort of thing. I have seen some other work arounds (would need to look more at these to remind my old brain!), but the ignore changes is a pragmatic solution here imo.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io