aws_fsx_windows_file_system sends all self_managed_active_directory settings if any setting in that block has changed

[devonbleak]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v0.13.5

• provider registry.terraform.io/hashicorp/archive v2.2.0
• provider registry.terraform.io/hashicorp/aws v3.45.0
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

• aws_fsx_windows_file_system

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

/*
Imported FSX Filesystem
*/
resource "aws_fsx_windows_file_system" "fsx1" {
  deployment_type     = "MULTI_AZ_1"
  storage_capacity    = 13312
  subnet_ids          = [module.vpc.private_subnets[0], module.vpc.private_subnets[1]]
  throughput_capacity = 128
  security_group_ids  = var.fsx_sg_ids

  /*
  Changes to self_managed_active_directory block are better done through console and just update them in the tf file for imported filesystems
  */
  self_managed_active_directory {
    dns_ips                                = var.fsx_dns_ips
    domain_name                            = var.fsx_domain_name
    password                               = var.fsx_ad_sa_password
    username                               = var.fsx_ad_sa_name
    organizational_unit_distinguished_name = var.fsx_ou_dn
    file_system_administrators_group       = "AWS Corp WorkSpaces Prod FSX1 Admins"
  }
  tags = {
    Name = "corp-workspaces-prod-fsx1"
  }
  /*
  Certain resource arguments, like security_group_ids and the self_managed_active_directory configuation block password, do not have a FSx API method for reading the information after creation. If these arguments are set in the Terraform configuration on an imported resource, Terraform will always show a difference. To workaround this behavior, either omit the argument from the Terraform configuration or use ignore_changes to hide the difference
  */
  lifecycle {
    prevent_destroy = true
    ignore_changes = [
      security_group_ids,
      self_managed_active_directory.0.password,
    ]
  }
}

Expected Behavior

When updating self_managed_active_directory.0.dns_ips (for example), only that field should be sent to AWS in the update request.

Actual Behavior

When updating self_managed_active_directory.0.dns_ips the provider also sent the username and password along with it even though the password had not changed in the code. As this is an imported filesystem the password in state is empty and this led to a validation error.

Steps to Reproduce

1. Import a manually created filesystem
2. Update dns_ips for the filesystem in Terraform
3. terraform apply

Alternatively if the filesystem is created in TF and a manual rotation of the password is performed, you can validate that the password gets reverted by TF.

Important Factoids

This appears to be a bug in expandFsxSelfManagedActiveDirectoryConfigurationUpdate which is copying the fields into the update struct without verifying that each individual field has actually changed:

req := &fsx.SelfManagedActiveDirectoryConfigurationUpdates{
		DnsIps:   expandStringSet(data["dns_ips"].(*schema.Set)),
		Password: aws.String(data["password"].(string)),
		UserName: aws.String(data["username"].(string)),
	}

References

[github-actions]

This functionality has been released in v3.48.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.