aws_cognito_user_pool_client.generate_secret is not imported

sergei-ivanov commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.11
+ provider registry.terraform.io/hashicorp/aws v3.50.0

Affected Resource(s)

aws_cognito_user_pool_client

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cognito_user_pool_client" "admin" {
  generate_secret                      = false
  # ... other attributes
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

When running terraform import for the aws_cognito_user_pool_client resource, generate_secret attribute should be initialised in the state.

Actual Behavior

Upon import, generate_secret is null in the state. As a result, subsequent changes to the pool trigger resource replacement:

  # aws_cognito_user_pool_client.phoenix_admin[0] must be replaced
-/+ resource "aws_cognito_user_pool_client" "admin" {
      ~ callback_urls                        = [
          + "https://admin.test2.test/signin-oidc",
            # (3 unchanged elements hidden)
        ]
      + client_secret                        = (sensitive value)
      + generate_secret                      = false # forces replacement

Manually editing the state and setting generate_secret to false fixes the plan drift.

Steps to Reproduce

Import an existing resource into the state:

terraform import 'aws_cognito_user_pool_client.admin' eu-west-2_20fjeYwkA/79pauio5h0m776543sum1rhak1

Change one of the attributes, e.g. callback_urls.
Run terraform plan

The plan suggests a forced replacement.

sergei-ivanov commented 3 years ago

I realise that generate_secret is only relevant on resource creation, and that changing it in terraform configuration should trigger a resource recreation.

However, once a resource has been created, there will be a client_secret value there. That value will be non-empty if the secret was generated and empty if the secret was not generated. Therefore from the presence or absence of non-empty client_secret we can deduce the value of generate_secret flag.

So perhaps a simple fix might be to add a check after this line: https://github.com/hashicorp/terraform-provider-aws/blob/f9743a331518d27998037de918b1b769eb11a27c/aws/resource_aws_cognito_user_pool_client.go#L366 Something like this:

    d.Set("generate_secret", aws.StringValue(userPoolClient.ClientSecret) != "")

womblep commented 1 year ago

Same behavior with Terraform v1.1.2 and aws provider v4.36.1

pratyakshs commented 1 year ago

Any update on this issue? Still running into this with Terraform v1.3.6 and aws provider v4.46.0

yair-sedaka-dt commented 1 year ago

Any update? As a temporary workaround, I use the lifecycle option "ignore_changes".

terryxychan commented 1 year ago

Are there any updates? This is still an issue for TF v0.13.4 and aws provider v4.0

SC-gh-admin commented 11 months ago

In my case, I got around this by ignoring generate_secret on my already existing user_pool_client.

resource "aws_cognito_user_pool_client" "pool" {
  ...
  lifecycle {
    ignore_changes = [generate_secret]
  }
}

hashicorp / terraform-provider-aws