[Bug]: NoEcho Cloudformation Parameter gets overwritten with '****'

[jstarktb]

Terraform Core Version

1.3.8

AWS Provider Version

4.54.0

Affected Resource(s)

aws_cloudformation_stack

Expected Behavior

Creating a aws_cloudformation_stack once and not having it show up in a plan until you actually change something about it.

Actual Behavior

If you have a parameter with NoEcho: true, it will detect changes in every plan to overwrite the value of that parameter. The workaround we adopted for that was to include lifecycle policy to ignore changes to parameters. However, if you then change something for that stack (for example add a new tag), the plan shows the expected tag changes and nothing else. But once applied, the value for that parameter will be changed to ****.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
    required_version = "~>1.0"
    required_providers {
    aws = {
        source  = "hashicorp/aws"
        version = "~>4.12"
    }
  }
}

provider "aws" {
  region  = "us-east-1"
}

variable "DATADOG_API_KEY" {
    type = string
}

resource "aws_cloudformation_stack" "test-stack" {
  name = "testing-dd-key-stack"

  parameters = {
    DdApiKey = var.DATADOG_API_KEY
  }

  template_body = <<STACK
{
  "Parameters" : {
    "DdApiKey" : {
      "Type" : "String",
      "Default" : "",
      "NoEcho" : true
    }
  },
  "Resources" : {
    "extraddsecret": {
      "Type" : "AWS::SecretsManager::Secret",
      "Properties" : {
        "SecretString": {"Ref": "DdApiKey"}
      }
    }
  }
}
STACK

  tags = {
    testTag = "trying to trigger"
  }

  lifecycle {
    ignore_changes = [
      parameters
    ]
  }
}

Steps to Reproduce

1. Remove or comment out lifecycle block and tags
2. terraform apply --auto-approve
3. when prompted for value for DATADOG_API_KEY provide anything (ex: 'xyz')
4. terraform plan
5. provide the same value for DATADOG_API_KEY
6. The plan will show changing the value of the parameter, despite providing the same value
7. Now add the lifecycle block back in
8. Repeat steps 4 and 5, plan should show no changes
9. Add tags block in
10. Repeat steps 4 and 5, plan should now show changing only the tags
11. terraform apply --auto-approve
12. Check the value of the secret in AWS, the value should be ****.

Removing the lifecycle block and applying again will set the value of the parameter/secret to the correct value again.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ipmb]

There is some historical discussion for this at https://github.com/hashicorp/terraform/issues/4335