[Bug]: Provider does not recognize changes on `client_password_auth_type` in `aws_db_proxy`'s `auth` section

[AvihaiSam]

Terraform Core Version

1.8.0

AWS Provider Version

5.68.0

Affected Resource(s)

aws_db_proxy

Expected Behavior

after changing client_password_auth_type - we expect TF to identify the changes

Actual Behavior

TF doesn't identify any changes

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_db_proxy" "rds_proxy" {
  count                  = var.create_rds_proxy ? 1 : 0
  name                   = "rds-proxy"
  debug_logging          = false
  engine_family          = "POSTGRESQL"
  idle_client_timeout    = 1800
  require_tls            = false
  role_arn               = aws_iam_role.rds_proxy[0].arn
  vpc_security_group_ids = [module.security_group.security_group_id]
  vpc_subnet_ids         = var.db_subnet_ids

  dynamic "auth" {
    for_each = aws_secretsmanager_secret.services
    content {
      auth_scheme               = "SECRETS"
      description               = "${auth.value.name} secret"
      iam_auth                  = "DISABLED"
      secret_arn                = auth.value.arn
      client_password_auth_type = var.rds_proxy_auth_type
    }
  }

  tags       = local.tags
}

Steps to Reproduce

after deployment - change var.rds_proxy_auth_type value hit terraform plan 0 changes

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[omrishur]

👍

[AvihaiSam]

current workarround: use var.rds_proxy_auth_type inside the description 🫤