r/aws_elasticache_replication_group: Remove auth_token_update_strategy default

[jar-b]

Description

The auth_token_update_strategy argument was added in #34460 with a default value of ROTATE to retain backward compatibility with previous provider versions where this was hardcoded into update operations. In v6.0.0, the default value should be removed and this argument should be required when auth_token is set to ensure practitioners are aware of the rotation strategy being used when credentials are added or modified. This will be a breaking change.

References

Relates #34460
Relates #33439

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[CbaSage]

Can confirm. It broke out deployment pipeline:

Error: changing auth_token for ElastiCache Replication Group (<rep-group-name>): InvalidParameterCombination: Auth tokens can't be enabled with a user group already associated. Pass RemoveUserGroups to proceed.
│ 	status code: 400, request id: <request-id>
│ 
│   with aws_elasticache_replication_group.this,
│   on elasticache.tf line 7, in resource "aws_elasticache_replication_group" "this":
│    7: resource "aws_elasticache_replication_group" "this" {

[jar-b]

Hey @CbaSage - this regression should have been fixed with #34600, released in v5.28.0 last night.

This issue is focused on future breaking changes for the next major release (v6.0.0). For the v5.X series, the default value will remain to keep backwards compatibility. This comment contains a more detailed explanation for this, if interested.

[priyanshur-curefit]

hi @jar-b ,
This issue is still not fixed. When i am trying to import aws_elasticache_replication_group, it automatically adds auth_token_strategy in terraform plan . I had t use lifecycle policies to ignore the change. Can we relook at this once

[chris-okorodudu]

hi @jar-b , This issue is still not fixed. When i am trying to import aws_elasticache_replication_group, it automatically adds auth_token_strategy in terraform plan . I had t use lifecycle policies to ignore the change. Can we relook at this once

I'm currently facing a similar issue when trying to import an aws_elasticache_replication_group. It automatically sets the strategy to ROTATE in the plan. Even when ignoring via lifecycle rule, it was then updated to ROTATE in my tfstate after applying and I got this error:

modifying ElastiCache Replication Group (***) authentication: InvalidParameterValue: The AUTH token modification is only supported when encryption-in-transit is enabled.

I'm not setting auth_token or auth_token_update_strategy in my configuration.