Don't read back opsworks stack cookbooks source password

[apparentlymart]

As with several other sensitive values in Opsworks, the API returns a placeholder value rather than a nil. To avoid writing the placeholder value into the state we just skip updating the password on read, letting whatever value was in the state persist.

This means that Terraform can't detect configuration drift where someone has changed the password via some other means, but Terraform will still be able to recognize changes to the password made within Terraform itself due to the "last-written" value in the state.

This fixes #6192.

[stack72]

where does it have *****FILTERED*****?

[stack72]

AH! It comes back from the API :)

[stack72]

LGTM! thanks @apparentlymart

[eedwardsdisco]

@apparentlymart This is still happening in 0.6.16

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_opsworks_stack.elasticsearch
    custom_cookbooks_source.0.password: "" => "<MY_IAM_PASSWORD (REDACTED)>"

[apparentlymart]

@eedwardsdisco thanks for pointing that out. Looks like my fix here wasn't correct. I've opened a new issue #6826 to track the new bug.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.