-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/aws_iam_user_login_profile: prevent password_reset_required persistent diff #36926
Conversation
Community NoteVoting for Prioritization
For Submitters
|
…ent diff This change fixes persistent differences observed when a user login profile is initially configured with `password_reset_required` set to true. Once the user logs in and resets their password successfully, the remote value switches to `false` as the user has completed the initial reset task. Instead of writing the remote value to state on every read operation (triggering a diff and forced re-creation as soon as the password is reset), we now store the initial value on creation only. This makes the implementation consistent with our own existing documentation for the argument, which states: > password_reset_required - (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation. Before: ```console % make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired' -timeout 360m === RUN TestAccIAMUserLoginProfile_passwordResetRequired === PAUSE TestAccIAMUserLoginProfile_passwordResetRequired === CONT TestAccIAMUserLoginProfile_passwordResetRequired user_login_profile_test.go:303: Step 1/2 error: After applying this test step, the refresh plan was not empty. stdout Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: # aws_iam_user_login_profile.test must be replaced -/+ resource "aws_iam_user_login_profile" "test" { <snip> + password = (known after apply) ~ password_reset_required = false -> true # forces replacement # (3 unchanged attributes hidden) } Plan: 1 to add, 0 to change, 1 to destroy. --- FAIL: TestAccIAMUserLoginProfile_passwordResetRequired (26.74s) FAIL FAIL github.com/hashicorp/terraform-provider-aws/internal/service/iam 32.422s ``` After: ```console % make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_passwordResetRequired ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_passwordResetRequired' -timeout 360m --- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (20.63s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 26.258s ``` ```console % make testacc PKG=iam TESTS=TestAccIAMUserLoginProfile_ ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.21.8 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMUserLoginProfile_' -timeout 360m --- PASS: TestAccIAMUserLoginProfile_keybaseDoesntExist (11.51s) --- PASS: TestAccIAMUserLoginProfile_nogpg (12.95s) --- PASS: TestAccIAMUserLoginProfile_passwordLength (13.72s) --- PASS: TestAccIAMUserLoginProfile_keybase (14.21s) --- PASS: TestAccIAMUserLoginProfile_notAKey (15.64s) --- PASS: TestAccIAMUserLoginProfile_disappears (21.50s) --- PASS: TestAccIAMUserLoginProfile_basic (21.57s) --- PASS: TestAccIAMUserLoginProfile_passwordResetRequired (21.70s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/iam 27.247s ```
a627eab
to
8104ef9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀.
Thanks so much for this! I'm happy the documentation didn't need to change 😃. |
This functionality has been released in v5.46.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
This change fixes persistent differences observed when a user login profile is initially configured with
password_reset_required
set to true. Once the user logs in and resets their password successfully, the remote value switches tofalse
as the user has completed the initial reset task. Instead of writing the remote value to state on every read operation (triggering a diff and forced re-creation as soon as the password is reset), we now store the initial value on creation only. This makes the implementation consistent with our own existing documentation for the argument, which states:Before:
After:
Relations
Closes #23567
Closes #35601 (Documented workaround is no longer necessary)
References
Output from Acceptance Testing