[Bug]: aws_elasticache_replication_group set the auth password with ROTATE with the latest provider aws 5.27.0

[CyrilDevOps]

Terraform Core Version

1.4.7

AWS Provider Version

5.27.0

Affected Resource(s)

aws_elasticache_replication_group

Expected Behavior

Nothing, no change in my code for elasticache

Actual Behavior

module.redis.aws_elasticache_replication_group.redis_replication_group will be updated in-place

~ resource "aws_elasticache_replication_group" "redis_replication_group" {
+ auth_token_update_strategy = "ROTATE"
id = "myredis"
# (35 unchanged attributes hidden)
}

When doing the apply, it set the 'default' password I use in my terraform with ROTATE, meaning, I now have the 'default' password and the 'normal' password that I setuped outside of terraform

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

I was doing some change in the terraform code but not in the elasticache section.
But the latest aws provider 5.27.0 try to add the auth_token_update_strategy as change, forcing terraform to put a new password to all my redis.

Steps to Reproduce

create an aws_elasticache_replication_group with a provider before 5.27.0 with an auth_token.
change the redis auth_token outside of terraform (ROTATE&SET) by the aws cli command.
update provider aws to 5.27.0
do a plan, it will show that it try to add auth_token_update_strategy to the aws_elasticache_replication_group
and by doing the apply, it set the 'default' auth_token that is in terraform with ROTATE
Now your redis has two auth_token, the terraform 'default' one, and the one you setuped after the initial terraform.

It is a big security regression

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[CbaSage]

There is an additional flaw here. There is no support for elasticache:AuthTokenEnabled, which now cannot be set to false. This is causing the following error when using group based auth:

Error: changing auth_token for ElastiCache Replication Group (<rep-group-name>): InvalidParameterCombination: Auth tokens can't be enabled with a user group already associated. Pass RemoveUserGroups to proceed.
│ 	status code: 400, request id: <request-id>
│ 
│   with aws_elasticache_replication_group.this,
│   on elasticache.tf line 7, in resource "aws_elasticache_replication_group" "this":
│    7: resource "aws_elasticache_replication_group" "this" {

[s-ven]

Unsure if related, but it would fail terraform apply for Replication Group wo/ encryption in transit configured (pinning to previous version fixes the issue for us)

| Error:
| Terraform 'apply' failed, return status: 1
| Error: changing auth_token for ElastiCache Replication Group (xxxx-yyyy-zzzz): InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.

Terraform core version: 1.5.7

Thank you

Edit, I assume my comment should have been on this ticket: #34600 (addressed since, thank)

[ewbankkit]

Relates #34589.
Relates #34592.
Relates #34460.
Closed via #34600.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.