Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/aws_iam_user_login_profile: prevent password_reset_required persistent diff #36926

Merged
merged 1 commit into from
Apr 17, 2024

Conversation

jar-b
Copy link
Member

@jar-b jar-b commented Apr 15, 2024

Description

This change fixes persistent differences observed when a user login profile is initially configured with password_reset_required set to true. Once the user logs in and resets their password successfully, the remote value switches to false as the user has completed the initial reset task. Instead of writing the remote value to state on every read operation (triggering a diff and forced re-creation as soon as the password is reset), we now store the initial value on creation only. This makes the implementation consistent with our own existing documentation for the argument, which states:

password_reset_required - (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.

Before:

% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired'  -timeout 360m
=== RUN   TestAccIAMUserLoginProfile_passwordResetRequired
=== PAUSE TestAccIAMUserLoginProfile_passwordResetRequired
=== CONT  TestAccIAMUserLoginProfile_passwordResetRequired
    user_login_profile_test.go:303: Step 1/2 error: After applying this test step, the refresh plan was not empty.
        stdout

        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
        -/+ destroy and then create replacement

        Terraform will perform the following actions:

          # aws_iam_user_login_profile.test must be replaced
        -/+ resource "aws_iam_user_login_profile" "test" {
          <snip>
              + password                = (known after apply)
              ~ password_reset_required = false -> true # forces replacement
                # (3 unchanged attributes hidden)
            }

        Plan: 1 to add, 0 to change, 1 to destroy.
--- FAIL: TestAccIAMUserLoginProfile_passwordResetRequired (26.74s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/iam        32.422s

After:

% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired'  -timeout 360m

--- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (20.63s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        26.258s

Relations

Closes #23567
Closes #35601 (Documented workaround is no longer necessary)

References

Output from Acceptance Testing

% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_'  -timeout 360m

--- PASS: TestAccIAMUserLoginProfile_keybaseDoesntExist (11.51s)
--- PASS: TestAccIAMUserLoginProfile_nogpg (12.95s)
--- PASS: TestAccIAMUserLoginProfile_passwordLength (13.72s)
--- PASS: TestAccIAMUserLoginProfile_keybase (14.21s)
--- PASS: TestAccIAMUserLoginProfile_notAKey (15.64s)
--- PASS: TestAccIAMUserLoginProfile_disappears (21.50s)
--- PASS: TestAccIAMUserLoginProfile_basic (21.57s)
--- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (21.70s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        27.247s

Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/iam Issues and PRs that pertain to the iam service. labels Apr 15, 2024
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Apr 15, 2024
…ent diff

This change fixes persistent differences observed when a user login profile is initially configured with `password_reset_required` set to true. Once the user logs in and resets their password successfully, the remote value switches to `false` as the user has completed the initial reset task. Instead of writing the remote value to state on every read operation (triggering a diff and forced re-creation as soon as the password is reset), we now store the initial value on creation only. This makes the implementation consistent with our own existing documentation for the argument, which states:

> password_reset_required - (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.

Before:

```console
% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired'  -timeout 360m
=== RUN   TestAccIAMUserLoginProfile_passwordResetRequired
=== PAUSE TestAccIAMUserLoginProfile_passwordResetRequired
=== CONT  TestAccIAMUserLoginProfile_passwordResetRequired
    user_login_profile_test.go:303: Step 1/2 error: After applying this test step, the refresh plan was not empty.
        stdout

        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
        -/+ destroy and then create replacement

        Terraform will perform the following actions:

          # aws_iam_user_login_profile.test must be replaced
        -/+ resource "aws_iam_user_login_profile" "test" {
          <snip>
              + password                = (known after apply)
              ~ password_reset_required = false -> true # forces replacement
                # (3 unchanged attributes hidden)
            }

        Plan: 1 to add, 0 to change, 1 to destroy.
--- FAIL: TestAccIAMUserLoginProfile_passwordResetRequired (26.74s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/iam        32.422s
```

After:

```console
% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired'  -timeout 360m

--- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (20.63s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        26.258s
```

```console
% make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_'  -timeout 360m

--- PASS: TestAccIAMUserLoginProfile_keybaseDoesntExist (11.51s)
--- PASS: TestAccIAMUserLoginProfile_nogpg (12.95s)
--- PASS: TestAccIAMUserLoginProfile_passwordLength (13.72s)
--- PASS: TestAccIAMUserLoginProfile_keybase (14.21s)
--- PASS: TestAccIAMUserLoginProfile_notAKey (15.64s)
--- PASS: TestAccIAMUserLoginProfile_disappears (21.50s)
--- PASS: TestAccIAMUserLoginProfile_basic (21.57s)
--- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (21.70s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iam        27.247s
```
@jar-b jar-b force-pushed the b-password_reset_required-diff branch from a627eab to 8104ef9 Compare April 15, 2024 20:31
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

@jar-b jar-b merged commit 318c0b4 into main Apr 17, 2024
46 checks passed
@jar-b jar-b deleted the b-password_reset_required-diff branch April 17, 2024 13:10
@github-actions github-actions bot added this to the v5.46.0 milestone Apr 17, 2024
@sierra-alpha
Copy link

Thanks so much for this! I'm happy the documentation didn't need to change 😃.

@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Apr 19, 2024
Copy link

This functionality has been released in v5.46.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
service/iam Issues and PRs that pertain to the iam service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Resource aws_iam_user_login_profile "forces replacement" after upgrade to aws provider v4x
3 participants