Pulumi tries to replace iam.UserLoginProfile if passwordResetRequired is set, the password was changed and the stack refreshed

[rafalkrupinski]

What happened?

1. Called pulumi up to create resources as in the example
2. logged in as the newly created user, changed password as required
3. called pulumi refresh - detects change of passwordResetRequired to false
4. called pulumi up

At the last step pulumi reports the login profile will be replaced, but fails to create a second login profile for the user before the old one is removed, while it shouldn't try replacing the login profile at all.
Documentation for passwordResetRequired says it Only applies at resource creation.

    error: 1 error occurred:
        * creating IAM User Login Profile for "testUser": EntityAlreadyExists: Login Profile for user testUser already exists.
        status code: 409, request id: ae0179e8-31b7-4671-b433-f5514cc315ff

Example

import * as aws from "@pulumi/aws";

const user = new aws.iam.User(
    'testuser',
    {
        name: 'testUser',
    } 
);

const loginProfile = new aws.iam.UserLoginProfile(
    "testLoginProfile",
    {
        user: user.name,
        passwordResetRequired: true,
    }
);

export const testPassword = loginProfile.password; // only needed to login

new aws.iam.UserPolicy("allowChangeOwnPassword", { //only needed to change the password at login
    user: user.name,
    policy: {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "iam:GetAccountPasswordPolicy",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "iam:ChangePassword",
                "Resource": user.arn,
            },
            {
                Effect: "Allow",
                Action: "iam:GetUser",
                Resource: user.arn,
            }
        ]
    }
});

Output of pulumi about

CLI
Version 3.111.1
Go Version go1.22.1
Go Compiler gc

Host
OS debian
Version 12.5
Arch x86_64

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

@rafalkrupinski it looks like this is working as the upstream provider intended, although the documentation is definitely a little confusing (not sure why it mentions creation when updating is not possible). I think the way to handle this is with the ignoreChanges resource option.

[rafalkrupinski]

Can't imagine it's an intended behaviour. Hope the bug report from a pulumi user is honoured by the upstream maintainers.

[mikhailshilkov]

The property is indeed marked as ForceNew upstream: https://github.com/hashicorp/terraform-provider-aws/blob/0d1d7b6c5eb9f8e2c5265b35df7ddde5852c15d8/internal/service/iam/user_login_profile.go#L58

We mark it as such too

The property description is translated faithfully from the upstream docs

So I think our behavior is by design here.

@corymhall Do you want to keep the issue open to track any work on our side? If so, please label it with a kind/ label.

[rafalkrupinski]

From a user perspective it doesn't work as intended. The flag should apply only on resource creation, and I (as a user) know nothing of ForceNew.

To me it seems it's an undesired combined effect of aws changing the field after fulfilling its desired purpose + ForceNew. The password_reset_required shouldn't update when that field in AWS changes, or rather, there should be separate flag that only sets password_reset_required on creation, as it's now documented.

I realize it's an upstream problem, and I've reported it there too.

[rafalkrupinski]

upstream issue hashicorp/terraform-provider-aws#23567

[t0yv0]

The upstream issue got fixed by not changing passwordResetRequired in Read: https://github.com/hashicorp/terraform-provider-aws/pull/36926/files#diff-7b4e00a7f40cb5504072acf00eb8a74f6f24ab1fa0336bdebebc67c77516a6f0

This is now inherited by pulumi. pulumi refresh now does not detect changes in this scenario.

CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.32.0
awsx    2.9.0
docker  4.5.3
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  14.4.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'

Current Stack: anton-pulumi-corp/aws-3750/dev

TYPE                                       URN
pulumi:pulumi:Stack                        urn:pulumi:dev::aws-3750::pulumi:pulumi:Stack::aws-3750-dev
pulumi:providers:aws                       urn:pulumi:dev::aws-3750::pulumi:providers:aws::default_6_32_0
aws:iam/user:User                          urn:pulumi:dev::aws-3750::aws:iam/user:User::testuser
aws:iam/userLoginProfile:UserLoginProfile  urn:pulumi:dev::aws-3750::aws:iam/userLoginProfile:UserLoginProfile::testLoginProfile
aws:iam/userPolicy:UserPolicy              urn:pulumi:dev::aws-3750::aws:iam/userPolicy:UserPolicy::allowChangeOwnPassword


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, pulumi
Token type     personal

Dependencies:
NAME            VERSION
@types/node     18.19.31
typescript      5.4.5
@pulumi/aws     6.32.0
@pulumi/awsx    2.9.0
@pulumi/pulumi  3.113.3

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default

I'm going to close as fixed but please open a new issue if there's something else that can be improved here.