[Bug]: r/aws_redshiftserverless_namespace: in managed password mode, unable to change admin username

[marcinbelczewski]

Terraform Core Version

1.9.5

AWS Provider Version

5.66.0

Affected Resource(s)

• aws_redshiftserverless_namespace

Expected Behavior

Admin username is changed

Actual Behavior

Confusing error:

│ Error: updating Redshift Serverless Namespace (test1): operation error Redshift Serverless: UpdateNamespace, https response error StatusCode: 400, RequestID: 17c2383b-27bf-4191-9f5d-d181926a507a, ValidationException: 1 validation error detected: Value at 'adminUserPassword' failed to satisfy constraint: Member must have length greater than or equal to 8
│
│   with aws_redshiftserverless_namespace.test,
│   on main.tf line 19, in resource "aws_redshiftserverless_namespace" "test":
│   19: resource "aws_redshiftserverless_namespace" "test" {
│
╵

suggesting password is not managed and validated

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_redshiftserverless_namespace" "test" {
  namespace_name = "test"
  manage_admin_password = true
  admin_username = "custom_username"
}

Steps to Reproduce

1. Apply the following config:

resource "aws_redshiftserverless_namespace" "test" {
  namespace_name = "test"
  manage_admin_password = true
  admin_username = "custom_username"
}

2. Apply the config changed in the following way:

resource "aws_redshiftserverless_namespace" "test" {
  namespace_name = "test"
  manage_admin_password = true
  admin_username = "different_custom_username"
}

Debug Output

No response

Panic Output

No response

Important Factoids

The resource update implementation in the provider checks changes in all the attributes one by one and passes only the changed one in the API call. manage_admin_password is set to true and unchanged, it won't get passed in API call. admin_username changes and is passed in the API call. Whenever manage_admin_password is omitted in UpdateNamespace API call, the default is false, meaning the API will understand the request as an update in unmanaged admin user password. It will then try to validate the password which is omitted in the API call (this makes sense as we intend to have managed password)

References

No response

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.