Open lesinigo opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
I'm seeing this issue - it looks like the cause lies somewhere on the AWS side.
I performed a test where I created an Amplify branch with the basic creds base64encode("username:password")
which should encode to dXNlcm5hbWU6cGFzc3dvcmQ=
, then got the branch details using the CLI to check the value, which came back as dXNlcm5hbWU6TmQxQjU3Lzh3YkJnY1BGTVNpNUR5QT09fHxLVXVJSS9RY3RicVlaSk8rZE9FaW1hWlQ5S0s4SVFMWlR3dldlaG5pcmU4PQ==
which decodes to username:Nd1B57/8wbBgcPFMSi5DyA==||KUuII/QctbqYZJO+dOEimaZT9KK8IQLZTwvWehnire8=
. Logging in with username:password still works, so it looks like AWS hashes the password again before storing it. I'll confirm with AWS Support.
@srgustafson8 Did you receive any confirmation from AWS support?
@srgustafson8 Did you receive any confirmation from AWS support?
Not yet, but thank you for the reminder to chase them!
+1 this is pretty annoying
Just found an update buried in my inbox:
Kindly note that I have received an update from the team. They have confirmed that the decoded password we are seeing is the encrypted value and that AWS does not store unencrypted credentials anywhere, and hence it is not possible to fetch the same using any API calls.
May need to supress the diff in terraform or do something else, using the output of this field elsewhere (e.g. CloudFront) results in a failure as the credentials are different. At minimum a documentation update is required I think
We don't need to fetch the actual password value from AWS, we just need to store their encrypted version (or even an hash of it) to check for changes. If it stays the same as we got during an apply run we should be sure that it hasn't changed.
But I'm not familiar with the internals of Terraform and/or of the AWS provider so I don't know if and how this would actually be possible.
Terraform Core Version
1.3.7
AWS Provider Version
4.52.0
Affected Resource(s)
aws_amplify_branch
Expected Behavior
When I set a value for
basic_auth_credentials
and I never change it, Terraform shouldn't report it as update-in-place in plans.Actual Behavior
At every terraform plan / apply, the
basic_auth_credentials
attribute ofaws_amplify_branch
is always marked asupdate in-place
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Create an Amplify app using the code above
Debug Output
No response
Panic Output
No response
Important Factoids
As shown in the example above, we have an
aws_amplify_app
with twoaws_amplify_branch
, a production one without basic auth and a staging one with basic auth.Terraform always reports the
basic_auth_credentials
as update in place, even if they do not actually change, even if I hardcode a string instead of using thebase64encode()
function.References
No response
Would you like to implement a fix?
None