[Bug]: aws_amplify_branch basic_auth_credentials always reported as update-in-place

[lesinigo]

Terraform Core Version

1.3.7

AWS Provider Version

4.52.0

Affected Resource(s)

aws_amplify_branch

Expected Behavior

When I set a value for basic_auth_credentials and I never change it, Terraform shouldn't report it as update-in-place in plans.

Actual Behavior

At every terraform plan / apply, the basic_auth_credentials attribute of aws_amplify_branch is always marked as update in-place

Relevant Error/Panic Output Snippet

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_amplify_branch.xxxxxxxxxxxxx_staging will be updated in-place
  ~ resource "aws_amplify_branch" "xxxxxxxxxxxxx_staging" {
      ~ basic_auth_credentials      = (sensitive value)
        id                          = "xxxxxxxxxxxxxx/staging"
        tags                        = {
            "mytag" = "myvalue"
        }
        # (16 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform Configuration Files

resource "aws_amplify_app" "xxxxxxxxxxxxx" {
  name                        = "xxxxxxxxxxxxx"
  iam_service_role_arn        = aws_iam_role.xxxxxxxxxxxxx.arn
  repository                  = aws_codecommit_repository.xxxxxxxxxxxxx.clone_url_http
  enable_auto_branch_creation = false
  build_spec                  = "stuff..."
  custom_rule { [....] }
  custom_rule { [....] }
  tags = local.mytags
}

resource "aws_amplify_branch" "xxxxxxxxxxxxx_master" {
  app_id            = aws_amplify_app.xxxxxxxxxxxxx.id
  branch_name       = "master"
  description       = "Production branch for xxxxxxxxxxxxx website"
  stage             = "PRODUCTION"
  enable_basic_auth = false
  tags              = local.xxxxxxxxxxxxx_tags
}

resource "aws_amplify_branch" "xxxxxxxxxxxxx_staging" {
  app_id                 = aws_amplify_app.xxxxxxxxxxxxx.id
  branch_name            = "staging"
  description            = "Staging branch for xxxxxxxxxxxxx website"
  stage                  = "BETA"
  enable_basic_auth      = true
  basic_auth_credentials = base64encode("user:pass") # I've also tried hardcoding "dXNlcjpwYXNz"
  tags                   = local.xxxxxxxxxxxxx_tags
}

Steps to Reproduce

Create an Amplify app using the code above

Debug Output

No response

Panic Output

No response

Important Factoids

As shown in the example above, we have an aws_amplify_app with two aws_amplify_branch, a production one without basic auth and a staging one with basic auth.

Terraform always reports the basic_auth_credentials as update in place, even if they do not actually change, even if I hardcode a string instead of using the base64encode() function.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[srgustafson8]

I'm seeing this issue - it looks like the cause lies somewhere on the AWS side.

I performed a test where I created an Amplify branch with the basic creds base64encode("username:password") which should encode to dXNlcm5hbWU6cGFzc3dvcmQ=, then got the branch details using the CLI to check the value, which came back as dXNlcm5hbWU6TmQxQjU3Lzh3YkJnY1BGTVNpNUR5QT09fHxLVXVJSS9RY3RicVlaSk8rZE9FaW1hWlQ5S0s4SVFMWlR3dldlaG5pcmU4PQ== which decodes to username:Nd1B57/8wbBgcPFMSi5DyA==||KUuII/QctbqYZJO+dOEimaZT9KK8IQLZTwvWehnire8=. Logging in with username:password still works, so it looks like AWS hashes the password again before storing it. I'll confirm with AWS Support.

[MauroSoli]

@srgustafson8 Did you receive any confirmation from AWS support?

[srgustafson8]

@srgustafson8 Did you receive any confirmation from AWS support?

Not yet, but thank you for the reminder to chase them!

[andraspatka-dev]

+1 this is pretty annoying

[srgustafson8]

Just found an update buried in my inbox:

Kindly note that I have received an update from the team. They have confirmed that the decoded password we are seeing is the encrypted value and that AWS does not store unencrypted credentials anywhere, and hence it is not possible to fetch the same using any API calls.

May need to supress the diff in terraform or do something else, using the output of this field elsewhere (e.g. CloudFront) results in a failure as the credentials are different. At minimum a documentation update is required I think

[lesinigo]

We don't need to fetch the actual password value from AWS, we just need to store their encrypted version (or even an hash of it) to check for changes. If it stays the same as we got during an apply run we should be sure that it hasn't changed.

But I'm not familiar with the internals of Terraform and/or of the AWS provider so I don't know if and how this would actually be possible.