[Bug]: Changing a aws_ssm_parameter from value to insecure_value does not overwrite the value

[cecedille1]

Terraform Core Version

1.4.0

AWS Provider Version

4.60.0

Affected Resource(s)

aws_ssm_parameter

Expected Behavior

First I create a aws_ssm_parameter with a type "String" and a value set in the value attribute, it creates the AWS SSM parameter with the expected content. Then I change the way to provide the content to the aws_ssm_parameter from value to insecure_value. I expect the value of my AWS SSM Parameter to become the insecure_value

Actual Behavior

The apply succeeds but the value stays with the old secret value.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Initial

resource aws_ssm_parameter foo {
  name = "/test"
  type = "String"
  value = "SECRET"
}

Second

resource aws_ssm_parameter foo {
  name = "/test"
  type = "String"
  insecure_value = "NOT SO SECRET"
}

Steps to Reproduce

Apply this snippet

resource aws_ssm_parameter foo {
  name = "/test"
  type = "String"
  value = "SECRET"
}

In a second step, apply this snippet in the same state

resource aws_ssm_parameter foo {
  name = "/test"
  type = "String"
  insecure_value = "NOT SO SECRET"
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[alant94]

I encountered this issue as well recently. On terraform 1.6.3 and aws provider 5.24.0

Moreover the vice-versa is also the case: if ssm param was initially created with "insecure_value", later change to "value" leads to value not being updated anymore, only version gets updated without changes to actual content.

[borisnaydis]

To add to the discussion. Here is a warning message from Terraform logs when applying @cecedille1's snippet.

2023-11-07T13:40:17.180-0500 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_ssm_parameter.foo, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .insecure_value: planned value cty.UnknownVal(cty.String) does not match config value cty.StringVal("NOT SO SECRET")
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .allowed_pattern: planned value cty.StringVal("") for a non-computed attribute
      - .description: planned value cty.StringVal("") for a non-computed attribute

[ipc-zpg]

I've had to destroy and re-create to work around this issue.

[tetienne]

It also impact the import of a parameter to a resource with an insecure_value.