[Bug]: aws_iam_user_login_profile password should be marked as sensitive

[whoracle]

Terraform Core Version

1.55

AWS Provider Version

5.35.0

Affected Resource(s)

• aws_iam_user_login_profile

Expected Behavior

field password should be marked as sensitive, and thus not be shown in plan outputs.

Actual Behavior

The content of field password is shown in terraform plan output, for example when planning to delete a resource.

Relevant Error/Panic Output Snippet

# aws_iam_user_login_profile.this will be destroyed
# (because aws_iam_user_login_profile.this is not in configuration)
- resource "aws_iam_user_login_profile" "this" {
    - id                      = "tf-bugreport-test" -> null
    - password                = "XXXXXXXXXXXXXXXXXXXXXXX" -> null
    - password_length         = 64 -> null
    - password_reset_required = false -> null
    - user                    = "tf-bugreport-test" -> null
  }

Terraform Configuration Files

terraform {
  backend "local" {
    path = "./terraform.tfstate"
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.35.0"
    }
}

provider "aws" {
  region = "eu-west-1"
}

resource "aws_iam_user" "this" {
  name          = "tf-bugreport-test"
  path          = "/"
  force_destroy = true
}

resource "aws_iam_user_login_profile" "this" {
  user    = aws_iam_user.this.name
}

Steps to Reproduce

• create a new resource of type aws_iam_user_login_profile
• run terraform apply
• remove the resource
• run terraform plan
• see the secret value

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @whoracle 👋 Thank you for taking the time to raise this! I agree that this should probably be marked as sensitive, so I'm going to leave this open for someone from the team or community to pick up.

You may already know this, but in case anyone else comes across this issue, I did want to mention that the password attribute will only ever be populated by a random password that the AWS Provider generates on resource creation (it's not possible to read the current value from the upstream API), and is only populated if the pgp_key argument is not populated. Because of this, supplying pgp_key or setting password_reset_required to true can help mitigate some of the problem in the meantime.

[stefanfreitag]

Hi all, I have some capacity left and would like into this.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.