[Bug]: aws_directory_service_trust trust_password restriction

[heathsnow]

Terraform Core Version

1.5.7

AWS Provider Version

5.53.0

Affected Resource(s)

aws_directory_service_trust

Expected Behavior

trust_password should only be restricted to May be up to 128 characters long.

Actual Behavior

trust_password is restricted to Can contain upper- and lower-case letters, numbers, and punctuation characters. May be up to 128 characters long.

Relevant Error/Panic Output Snippet

│ Error: Invalid Attribute Value Match                                                                                                                                                    
│                                                                                                                                                                                         
│   with aws_directory_service_trust.this,                                                                                                                                       
│   on main.tf line 87, in resource "aws_directory_service_trust" "this":                                                                                                        
│   87:   trust_password     = "r;3^d@c_t>e^(d]"                                                                                                                                                                            
│                                                                                                                                                                                         
│ Attribute trust_password can contain upper- and lower-case letters, numbers, and punctuation characters, got: r;3^d@c_t>e^(d]

Terraform Configuration Files

resource "aws_directory_service_trust" "this" {
  directory_id = aws_directory_service_directory.this.id

  remote_domain_name = "redacted.com"
  trust_direction    = "One-Way: Outgoing"
  trust_password     = "r;3^d@c_t>e^(d]"

  conditional_forwarder_ip_addrs = ["10.100.100.100"]                                                                                                                                      
}

Steps to Reproduce

1. Setup a forest trust in Microsoft AD (in my case this was an on-prem server) with an AWS Directory Service directory using a password with the AWS provider restricted characters.
2. Setup a One-Way: Outgoing forest trust in AWS Directory Services and use the same password.
3. The Terraform AWS Provider resource aws_directory_service_trust fails with an error while the AWS console does not.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

According to CreateTrust, the validation regex for TrustPassword is ^(\p{LD}|\p{Punct}| )+$, which is normalized as ^(\p{L}|\p{Nd}|\p{P}| )+$ in the Terraform code. I've tested the latter with https://regexr.com/ with the Unicode flag, and it seems that ^ is not being recognized as a punctuation by the regex - it's recognized as a symbol (\p{S}). Thus the password r;3^d@c_t>e^(d] fails validation. This could be an AWS documentation issue that should first be investigated to confirm the next course of action for the Terraform resource.

[heathsnow]

In my testing it appears that any of the symbols ;^@_>^(\ are causing an issue, which isn't the case in the console.