From 422fa319eff0fb2afd7ff6d69d76be13fd811bef Mon Sep 17 00:00:00 2001
From: Achim Christ <achim.christ@sva.de>
Date: Mon, 19 May 2025 15:09:26 +0200
Subject: [PATCH 1/3] fix: use bool pointer type for 'locked' attribute, to
 allow for explicitly setting it to false

Signed-off-by: Achim Christ <achim.christ@sva.de>
---
 internal/interfaces/security_account.go                 | 4 ++--
 internal/provider/security/security_account_resource.go | 9 +++------
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/internal/interfaces/security_account.go b/internal/interfaces/security_account.go
index 421fc61e..c580d82f 100644
--- a/internal/interfaces/security_account.go
+++ b/internal/interfaces/security_account.go
@@ -17,7 +17,7 @@ type SecurityAccountResourceBodyDataModelONTAP struct {
 	Role         SecurityAccountRole      `mapstructure:"role,omitempty"`
 	Password     string                   `mapstructure:"password,omitempty"`
 	Comment      string                   `mapstructure:"comment,omitempty"`
-	Locked       bool                     `mapstructure:"locked,omitempty"`
+	Locked       *bool                    `mapstructure:"locked,omitempty"`
 }
 
 // SecurityAccountGetDataModelONTAP describes the GET record data model using go types for mapping.
@@ -38,7 +38,7 @@ type SecurityAccountResourceUpdateBodyDataModelONTAP struct {
 	Role     SecurityAccountRole `mapstructure:"role,omitempty"`
 	Password string              `mapstructure:"password,omitempty"`
 	Comment  string              `mapstructure:"comment,omitempty"`
-	Locked   bool                `mapstructure:"locked,omitempty"`
+	Locked   *bool               `mapstructure:"locked,omitempty"`
 }
 
 // SecurityAccountApplication describes the application data model using go types for mapping.
diff --git a/internal/provider/security/security_account_resource.go b/internal/provider/security/security_account_resource.go
index 478ffc2d..9ea2e59d 100644
--- a/internal/provider/security/security_account_resource.go
+++ b/internal/provider/security/security_account_resource.go
@@ -9,8 +9,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
-	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
-	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
@@ -166,8 +164,6 @@ func (r *SecurityAccountResource) Schema(ctx context.Context, req resource.Schem
 				MarkdownDescription: "Account locked",
 				Optional:            true,
 				Computed:            true,
-				Default:             booldefault.StaticBool(false),
-				PlanModifiers:       []planmodifier.Bool{boolplanmodifier.UseStateForUnknown()},
 			},
 			"id": schema.StringAttribute{
 				MarkdownDescription: "SecurityAccount id",
@@ -346,7 +342,7 @@ func (r *SecurityAccountResource) Create(ctx context.Context, req resource.Creat
 		body.Comment = data.Comment.ValueString()
 	}
 	if !data.Locked.IsNull() {
-		body.Locked = data.Locked.ValueBool()
+		body.Locked = data.Locked.ValueBoolPointer()
 	}
 
 	client, err := connection.GetRestClient(errorHandler, r.config, data.CxProfileName)
@@ -410,6 +406,7 @@ func (r *SecurityAccountResource) Create(ctx context.Context, req resource.Creat
 
 	data.ID = types.StringValue(resource.Name)
 	data.OwnerID = types.StringValue(resource.Owner.UUID)
+	data.Locked = types.BoolValue(resource.Locked)
 
 	tflog.Trace(ctx, "created a resource")
 
@@ -472,7 +469,7 @@ func (r *SecurityAccountResource) Update(ctx context.Context, req resource.Updat
 
 	// locked update
 	if !plan.Locked.IsNull() {
-		request.Locked = plan.Locked.ValueBool()
+		request.Locked = plan.Locked.ValueBoolPointer()
 	}
 
 	// comment update

From 0ba33c6f113cf106052d581f0bd570f0187f30b9 Mon Sep 17 00:00:00 2001
From: Achim Christ <achim.christ@sva.de>
Date: Mon, 19 May 2025 13:20:28 +0000
Subject: [PATCH 2/3] feat: add account unlocking to ACC tests

Signed-off-by: Achim Christ <achim.christ@sva.de>
---
 .../security/security_account_resource_test.go     | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/internal/provider/security/security_account_resource_test.go b/internal/provider/security/security_account_resource_test.go
index 776b7b99..0ef6e1c0 100644
--- a/internal/provider/security/security_account_resource_test.go
+++ b/internal/provider/security/security_account_resource_test.go
@@ -20,17 +20,27 @@ func TestAccSecurityAccountResource(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "name", "tf_acc_test"),
 					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "password", "password123"),
+					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "locked", "false"),
 				),
 			},
 			// Test updating a resource with comment and locked
 			{
-				Config: testAccSecurityAccountResourceConfig("tf_acc_test", "update", true),
+				Config: testAccSecurityAccountResourceConfig("tf_acc_test", "locked", true),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "name", "tf_acc_test"),
-					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "comment", "update"),
+					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "comment", "locked"),
 					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "locked", "true"),
 				),
 			},
+			// Test updating a resource with comment and unlocked
+			{
+				Config: testAccSecurityAccountResourceConfig("tf_acc_test", "unlocked", false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "name", "tf_acc_test"),
+					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "comment", "unlocked"),
+					resource.TestCheckResourceAttr("netapp-ontap_security_account.security_account", "locked", "false"),
+				),
+			},
 			// Test updating a resource with application and secondAuthenticationMethod
 			{
 				Config: testAccSecurityAccountResourceConfigUpdateAndCheckIdempotency("tf_acc_test"),

From 6f631cd248faca3e9681844ce12549f3773be675 Mon Sep 17 00:00:00 2001
From: Achim Christ <achim.christ@sva.de>
Date: Mon, 19 May 2025 13:36:44 +0000
Subject: [PATCH 3/3] chore: update changelog

Signed-off-by: Achim Christ <achim.christ@sva.de>
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00ceba0d..254d2acb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ DOCUMENTATION:
 
 - Corrected `aws` to `aws_lambda` in provider config.
 
+BUG FIXES:
+
+- **netapp-ontap_security_account**: unable to unlock existing `security_account` resource ([#499](https://github.com/NetApp/terraform-provider-netapp-ontap/issues/499))
 
 # 2.2.0 (2025-05-01)