aws_emr_cluster configurations_json hue-ini.bind_password stored as *******?

marekaf commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.39.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

aws_emr_cluster

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

      {
        "Classification" : "hue-ini",
        "Properties" : {},
        "Configurations" : [
          {
            "Classification" : "desktop",
            "Properties" : {},
            "Configurations" : [
              {
                "Classification" : "ldap",
                "Properties" : {},
                "Configurations" : [
                  {
                    "Classification" : "ldap_servers",
                    "Properties" : {},
                    "Configurations" : [
                      {
                        "Classification" : "xyz",
                        "Properties" : {
                          "search_bind_authentication" : "true",
                          "base_dn" : "ou=acme,dc=acme,dc=local",
                          "ldap_username_pattern" : "CN=<username>,OU=acme Project,OU=Users,OU=acme,DC=acme,DC=local",
                          "ldap_url" : "ldap://someldap.org:389",
                          "bind_dn" : "CN=acme,OU=acme,OU=Users,DC=acme,DC=local",
                          "bind_password" : "${var.bind_password}"
                        }
                      }
                    ]
                  }
                ]
              },
              {
                "Classification" : "auth",
                "Properties" : {
                  "backend" : "desktop.auth.backend.LdapBackend"
                }
              }
            ]
          },
          {
            "Classification" : "beeswax",
            "Properties" : {
              "download_row_limit" : "1000000"
            }
          }
        ]
      },

  // triggers a change for this every time
  bind_password = jsondecode(data.aws_secretsmanager_secret_version.ldap.secret_string)["password"]

  //bind_password = sensitive("********")

if I set to password to ******** it says no changes. it seems like the password is internally (either in AWS provider or actually in EMR API) represented as those asterisks

Debug Output

Panic Output

Expected Behavior

No changes. Your infrastructure matches the configuration.

Actual Behavior

  # module.emr.aws_emr_cluster.main[0] must be replaced
-/+ resource "aws_emr_cluster" "main" {
      ~ arn                               = "arn:aws:elasticmapreduce:eu-central-1:xyz:cluster/j-2M327SQ49FS10" -> (known after apply)
      ~ cluster_state                     = "WAITING" -> (known after apply)
      ~ configurations_json               = (sensitive) # forces replacement

Steps to Reproduce

terraform apply

Important Factoids

References

foxlzl commented 1 year ago

Any update on this bug? It's still there and causing forced cluster redeployment.

ewbankkit commented 7 months ago

Relates https://github.com/hashicorp/terraform-provider-aws/issues/12683.

hashicorp / terraform-provider-aws