imported aws_iam_access_key when using pgp_key is destroyed

[akloss-cibo]

Terraform Version

Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/auth0/auth0 v0.47.0
+ provider registry.terraform.io/hashicorp/aws v5.15.0
+ provider registry.terraform.io/hashicorp/external v2.3.3
+ provider registry.terraform.io/hashicorp/http v3.4.4
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/random v3.6.2
+ provider registry.terraform.io/hashicorp/time v0.12.0
+ provider registry.terraform.io/hashicorp/tls v4.0.5
+ provider registry.terraform.io/integrations/github v5.40.0

### Terraform Configuration Files

```terraform
import {
  id = "<key_id>"
  to = aws_iam_access_key.access_key
}

resource "aws_iam_access_key" "access_key" {
  user = aws_iam_user.user.name
  pgp_key = file("public_key.txt")
}

Debug Output

I did scan through the trace logs and there isn't really anything relevant... I'm guessing this is deliberate because the provider source code has

      "pgp_key": {
        Type:     schema.TypeString,
        ForceNew: true,
        Optional: true,
      },

Expected Behavior

Resource should be imported without create/destroy.

Actual Behavior

Terraform wants to destroy and re-create this resource, which will issue a new key.

Steps to Reproduce

Running terraform plan with the above configuration should exhibit the behavior.

Additional Context

I do think this is intended behavior, but destroying an access key is a pretty severe operation in AWS as, if the key is propagated elsewhere, destroying it will require re-propagating it. Usually these sorts of things are done with adding a new key before destroying the old key to ensure the new key is installed everywhere before deleting the old key.

References

No response

[crw]

Thanks for this report! I'm not sure if this is AWS-specific behavior or a Terraform core issue, I'll let a core dev comment on that. Thanks!

[akloss-cibo]

Ack, yes it is probably an aws provider issue... I'll wait a bit just to see but will move this over to https://github.com/hashicorp/terraform-provider-aws/issues if I don't hear anything.

[jbardin]

Hi @akloss-cibo,

Yes, the resource plan is created by the provider, so the decision to replace the instance is outside of Terraform's control. My guess is that the provider can't actually return the original pgp_key so the configuration appears as a change to the resource since the original config is lost.

However it might be useful for us to understand why the provider is forcing replacement here. There are still some improvements we want to make to the import process, and perhaps there is something core can do to assist the provider in this case. Can you show the output of the plan that indicates replacement?