[Bug]: changing redshift master password after restoring does nothing

[jurgen-weber-deltatre]

Terraform Core Version

1.3.3

AWS Provider Version

4.37.0

Affected Resource(s)

Our aws_redshift_cluster was originally migration from a snapshot; so snapshot_identifier was set. After the restoration has been completed we then removed this setting so it does not restore on every plan/apply.

Now at the same time, the master_username and master_password were set, but as the documentation says it is ignored or not required when you are restoring.

Now I wish to rotate the password, this does nothing. I know the password has changed because other resources related to it are changing/updating but on a plan no change happens to the aws_redshift_cluster resource.

If I change the username, the AWS API seems to want to recreate the whole thing.. Which of course I Don't want to recreate my redshift cluster. I just want to change the master password.

Expected Behavior

An 'update in place' action to happen on the aws_redshift_cluster resource.

Actual Behavior

Nothing, absolutely nothing happens even thought hte master_password has changed.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

  source              = "terraform-aws-modules/redshift/aws"

  iam_role_arns       = [
    aws_iam_role.redshift_service.arn
  ]
  database_name       = var.redshift_cluster_database_name
  cluster_identifier  = var.name
  node_type           = local.config_tier["redshift_cluster_node_type"][var.config_tier]
  master_password     = local.admin_password_selector
  master_username     = var.redshift_cluster_master_username
  number_of_nodes     = local.config_tier["redshift_cluster_number_of_nodes"][var.config_tier]
  cluster_version     = var.redshift_cluster_version
  create_random_password = false
  logging             = {
    enable            = local.config_tier["enable_logging"][var.config_tier]
    bucket_name       = local.config_tier["enable_logging"][var.config_tier] == "true" ? aws_s3_bucket.logs.bucket : null
  }

  enhanced_vpc_routing = true

  # KMS Key
  encrypted            = local.config_tier["encrypted"][var.config_tier]
  kms_key_arn          = local.config_tier["encrypted"][var.config_tier] == "true" ? data.aws_kms_key.default_redshift.arn : ""

  # maintenance window
  preferred_maintenance_window = var.redshift_maintenance_window

  # snapshot
  automated_snapshot_retention_period = 7
  final_snapshot_identifier = "final-snapshot-${var.name}"

  # restore from snapshot
  snapshot_identifier         = var.redshift_snapshot_identifier
  snapshot_cluster_identifier = var.redshift_snapshot_cluster_identifier
  owner_account               = var.redshift_snapshot_owner

  subnet_ids           = var.redshift_subnets
  tags                 = local.tags
  vpc_security_group_ids  = [
    aws_security_group.redshift.id
  ]
  parameter_group_name = "batch-pipeline-${terraform.workspace}-redshift-1-0-custom-params"
  parameter_group_parameters = {
    wlm_json_configuration = {
      name = "wlm_json_configuration"
      value  = jsonencode([
        {
          query_concurrency: 5
        }
      ])
    }
    require_ssl = {
      name  = "require_ssl"
      value = false
    }
    use_fips_ssl = {
      name  = "use_fips_ssl"
      value = false
    }
    enable_user_activity_logging = {
      name  = "enable_user_activity_logging"
      value = false
    }
    max_concurrency_scaling_clusters = {
      name  = "max_concurrency_scaling_clusters"
      value = 1
    }
    enable_case_sensitive_identifier = {
      name  = "enable_case_sensitive_identifier"
      value = false
    }
  }
}```

### Steps to Reproduce

restore a cluster from a snapshot, then attempt to change the master_password.

### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

The original restore happened over a year ago, so I Can not really tell when what version of TF or the provider it was restored under.

I also tried removing the resource from the state and importing again, with the same result.

### References

_No response_

### Would you like to implement a fix?

_No response_

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[cjol]

I think we are suffering from this bug, but our Redshift cluster was not restored at all. It's been created under Terraform control from the start, but changing the master_password parameter similarly does nothing.

[Latyn4ik]

Also faced this problem, this bug destroys the whole process of deploying new infrastructure

Terraform v1.5.5 on linux_amd64

• provider registry.terraform.io/hashicorp/aws v5.19.0

[Latyn4ik]

Hi @jurgen-weber-deltatre do you find workaround for this problem ?

[RuStyC0der]

Also faced this issue recently and it blocks big peace of my work. Is there any workaround? Also, if there is something I can do to help to resolve this issue please ping me.