aws_opsworks_stack custom cookbook password keeps re-applying

[wstaples]

Terraform Version

v0.6.14

Affected Resource(s)

• aws_opsworks_stacks

Terraform Configuration Files

##########################
## create opsworks stack
##########################

resource "aws_opsworks_stack" "test-stack" {
    name = "Test Stack"
    region = "us-east-1"
    color = "rgb(57, 131, 94)"
    configuration_manager_name = "Chef"
    configuration_manager_version = "11.10"
    service_role_arn = "${aws_iam_role.some_role.arn}"
    default_instance_profile_arn = "${aws_iam_instance_profile.some_profile.arn}"
    vpc_id = "12345"
    default_subnet_id = "12345"
    use_custom_cookbooks = true
    custom_cookbooks_source = {
        # please note I am using the S3 type not git
        type = "s3"
        url = "https://s3.amazonaws.com/some-bucket/some-file.tar.gz"
        username = "IAM User Key"
        password = "IAM User Secret"
    }
}

Expected Behavior

Terraform should have created the stack and set a value to the password field. On subsequent plan runs Terraform should report
No changes. Infrastructure is up-to-date..

Actual Behavior

Terraform correctly creates the stack and sets the password. However on subsequent plan runs terraform reports

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_opsworks_stack.test-stack
    custom_cookbooks_source.0.password: "*****FILTERED*****" => "IAM User Secret"


Plan: 0 to add, 1 to change, 0 to destroy.

If I run an apply Terraform will correctly set the password. Terraform will continue to report that the resource needs to be updated.
After Terraform successfully sets the password If I try to comment out the password line in the TF file Terraform will try to set the password to an empty string.

~ aws_opsworks_stack.test-stack
    custom_cookbooks_source.0.password: "*****FILTERED*****" => ""

This issue is more than just a minor annoyance. Every time Terraform unnecessarily updates the stack s3 password it removes the custom JSON associated with that stack.
Which in turn causes any instances associated with the stack to fail.

Steps to reproduce

1. Define a stack in a TF file
2. Run a plan/apply
3. Verify the stack was created and the s3 password was set
4. Run terraform plan and you should receive the unexpected output.

References

• AWS OpsWorks custom_cookbooks_source ssh_key keeps reapplying #3635 (same issue but for SSH keys maybe the same solution?)

[apparentlymart]

Oh, whoops... Looks like we missed another one of these odd cases where opsworks returns a placeholder string in place of a secret. This api does this a lot and each case requires some special handling to ignore the value when refreshing.

Thanks for the report! Agreed that the solution here is likely similar to the other one you linked, and indeed a few others. 😀

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.