[Bug]: aws_elasticache_user authentication mode keep showing no-password instead of no-password-required

[rickychew77]

Terraform Core Version

1.5.6

AWS Provider Version

4.67.0

Affected Resource(s)

aws_elasticache_user

Expected Behavior

When doing a terraform plan/apply on existing aws_elasticache_user with authentication mode type no-password-required, it shouldn't prompt for a change

Actual Behavior

While doing a terraform plan/apply on an existing aws_elasticache_user with authentication mode type no-password-required, it will prompt a changes from as below

~ authentication_mode {
          ~ type           = "no-password" -> "no-password-required"

it seems like the no-password is misleading and giving unnecessary changes to be applied.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_elasticache_user" "default" {
  user_id       = "default-user"
  user_name     = "default"
  access_string = "off -@all"
  engine        = "REDIS"

  authentication_mode {
    type = "no-password-required"
  }
}

Steps to Reproduce

terraform plan terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[nZac]

I'm by no means an expert on this so take it with a grain of salt. aws elasticache describe-users returns the following:

{
    "Users": [
        {
            "UserId": "default",
            "UserName": "default",
            "Status": "active",
            "Engine": "redis",
            "MinimumEngineVersion": "6.0",
            "AccessString": "on ~* +@all",
            "UserGroupIds": [],
            "Authentication": {
                "Type": "no-password"
            },
            "ARN": "<redacted>"
        }
    ] 
}

The SDK has two structs, AuthenticationType and InputAuthenticationType which have different values.

I have no idea how providers reconcile these kinds of things where the setting value is different from the returning value. If someone can explain that, I might be able to try and fix it... but so far: 🤷🏼‍♂️

[barnabyibis]

Let me state this same problem from a slightly different perspective: if you submit your aws_elasticache_user declaration with

authentication_mode {
    type = "no-password-required"
  }

the 'apply' always identifies the existing resource with type="no-password" and so the plan is to update this value ~ authentication_mode { ~ type = "no-password" -> "no-password-required" but if I try to conform to the retrieved 'no-password' setting, I get the result during 'apply':

Error: expected authentication_mode.0.type to be one of ["password" "no-password-required" "iam"], got no-password

It seems there is a conflict between Terraform and AWS CLI that is functionally compatible but comparatively incompatible. And frustratingly, this no-change 'modification' takes 3 minutes to "update" :( But if I comment out the authentication_mode block after creating the resource, no required action is detected during subsequent 'apply's!?

[ticosax]

I'm using a workaround which is switching to password.

[emilycarpenterhs]

I worked around this issue by adding a lifecycle block to ignore changes to the authentication mode but it is annoying.

lifecycle {
  ignore_changes = [authentication_mode]
}