random_password output as plain text and indicates and resource update required

[matthew-palmer]

Terraform Version

Terraform v0.12.10

Affected Resource(s)

Please list the resources as a list, for example:

• random_password

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "random_password" "pg_database_password" {
  length  = 32
  special = "${var.pg_password_specials}"
}

resource "aws_cloudformation_stack" "db" {
  ...
  parameters = {
        DatabasePassword      = "${random_password.pg_database_password.result}"
  }
}

Debug Output

When running a terraform apply against preexisting resource:

# aws_cloudformation_stack.db will be updated in-place
  ~ resource "aws_cloudformation_stack" "db" {
      ....
      ~ parameters       = {
            ...
          ~ "DatabasePassword"      = "****" -> "OsnonMD98NDrztZDKorZ0N8a5BL9iHvM"
            ...
        }

Expected Behavior

What should have happened?
No change should be computed, as well as the generated password should be considered sensitive and not output to the log

Actual Behavior

What actually happened?
Plain text password output and resource "update" required. Even then cloudformation doesn't show it was updated after an apply as all values are technically identical and no change is actually needed.

[sephethus]

Why has no one addressed this? One would think the inventor of Vault would have implemented a solution by now, after it was first addressed way back before I ever even conceived of the idea of cloud computing much less a way to automate it, way back in 2014. I didn't even realize Terraform had been a thing back then.

[Cussa]

One year more has passed. Any update on it?