diff --git a/redshift/resource_redshift_user.go b/redshift/resource_redshift_user.go index 2a05eac..f1aae44 100644 --- a/redshift/resource_redshift_user.go +++ b/redshift/resource_redshift_user.go @@ -57,8 +57,10 @@ Amazon Redshift user accounts can only be created and dropped by a database supe }, CustomizeDiff: func(_ context.Context, d *schema.ResourceDiff, p interface{}) error { isSuperuser := d.Get(userSuperuserAttr).(bool) + isPasswordKnown := d.NewValueKnown(userPasswordAttr) + password, hasPassword := d.GetOk(userPasswordAttr) - if isSuperuser && (!hasPassword || password.(string) == "") { + if isSuperuser && isPasswordKnown && (!hasPassword || password.(string) == "") { return fmt.Errorf("Users that are superusers must define a password.") } diff --git a/redshift/resource_redshift_user_test.go b/redshift/resource_redshift_user_test.go index 3d73b49..669c1cd 100644 --- a/redshift/resource_redshift_user_test.go +++ b/redshift/resource_redshift_user_test.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" ) @@ -228,6 +229,62 @@ resource "redshift_user" "superuser" { }) } +func TestAccRedshiftUser_SuperuserUnknownPassword(t *testing.T) { + userName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_superuser"), "-", "_") + config := fmt.Sprintf(` +resource "redshift_user" "superuser" { + name = %[1]q + superuser = true + password = unknown_string.password.result +} + +resource "unknown_string" "password" {} +`, userName) + + // unknownProvider is a mock provider that generates computed values that are unknown at plan time + // It simulates the behavior of the `random_password` resource + unknownProvider := &schema.Provider{ + Schema: map[string]*schema.Schema{}, + ResourcesMap: map[string]*schema.Resource{ + "unknown_string": { + Schema: map[string]*schema.Schema{ + "result": { + Type: schema.TypeString, + Computed: true, + }, + }, + Create: func(d *schema.ResourceData, meta interface{}) error { + d.SetId("test") + d.Set("result", "TestPassword123") + return nil + }, + Read: func(d *schema.ResourceData, meta interface{}) error { + return nil + }, + Delete: func(d *schema.ResourceData, meta interface{}) error { + return nil + }, + }, + }, + } + + providers := map[string]*schema.Provider{ + "unknown": unknownProvider, + "redshift": testAccProvider, + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: providers, + CheckDestroy: testAccCheckRedshiftUserDestroy, + Steps: []resource.TestStep{ + { + Config: config, + }, + }, + }) +} + func testAccCheckRedshiftUserDestroy(s *terraform.State) error { client := testAccProvider.Meta().(*Client)