Created users with login profiles shouldn't reset their passwords

[SmartassSkeleton]

Description

I recently created a bunch of users using the iam-user module in this repository using a for_each loop:

module "iam_users" {
  source   = "terraform-aws-modules/iam/aws//modules/iam-user"
  version  = "~> 4.20.0"
  for_each = var.users_map

  name          = each.key
  force_destroy = true

  create_iam_access_key         = each.value.create_iam_access_key
  create_iam_user_login_profile = each.value.create_iam_user_login_profile
}

I later on wanted to add a bunch of other IAM users in a 2nd iteration and make sure that they get a temporary password and require their reset on the first login using the same code.

When I terraform plan with the 2nd batch of users, I see that the created users in the first iteration will have new temporary passwords and will require to reset them on first login again:

# module.iam_groups_users.module.users.module.iam_users["user1"].aws_iam_user_login_profile.this[0] must be replaced
-/+ resource "aws_iam_user_login_profile" "this" {
      + encrypted_password      = (known after apply)
      ~ id                      = "user1" -> (known after apply)
      + key_fingerprint         = (known after apply)
      ~ password                = "REDACTED" -> (known after apply)
      ~ password_reset_required = false -> true # forces replacement
        # (2 unchanged attributes hidden)
    }

  # module.iam_groups_users.module.users.module.iam_users["user2"].aws_iam_user_login_profile.this[0] must be replaced
-/+ resource "aws_iam_user_login_profile" "this" {
      + encrypted_password      = (known after apply)
      ~ id                      = "user2" -> (known after apply)
      + key_fingerprint         = (known after apply)
      ~ password                = "REDACTED" -> (known after apply)
      ~ password_reset_required = false -> true # forces replacement
        # (2 unchanged attributes hidden)
    }

I am aware of the password_reset_required variable, but this forces me to change my variable configuration after applying the code.

Versions

• Module version [Required]: 4.20

• Terraform version:

Terraform v1.1.9
on linux_amd64

• Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v4.11.0

Reproduction Code [Required]

terraform plan/apply

Expected behavior

I'd expect the module to create the login profile with a generated password in the first place, but ignore changes that are made outside it's control, specially when it's with sensitive data like passwords/PGP.

Maybe add a lifcecycle meta-block?:

lifecycle {
    ignore_changes = [
      password_length,
      password_reset_required,
      pgp_key,
    ]

Edit:
I found out that this is an AWS provider issue tracked in here: hashicorp/terraform-provider-aws#23567

Actual behavior

password_reset_required is static and requires actions after terraform apply. This makes me have to worry about my variables post applying a new configuration.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[antonbabenko]

This issue has been resolved in version 5.3.1 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.