Terraform-provider-aws: `aws_ssm_parameter` does not support changing type from SecureString => String

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13

• provider.aws v2.7.0

Affected Resource(s)

• aws_ssm_parameter

Terraform Configuration Files

This is the original TF code that generated the resource to begin with.

# Original Resource Code
resource "aws_ssm_parameter" "my_param" {
  name        = "my_param"
  description = "This is not really a secret."
  type        = "SecureString"
  value       = "SomeValue"
  overwrite   = true
}

The issue comes up when I update that code to be the following:

# Updated Resource Code
resource "aws_ssm_parameter" "my_param" {
  name        = "my_param"
  description = "This is not really a secret."
  type        = "String"
  value       = "SomeValue"
  overwrite   = true
}

The only change is the type.

Debug Output

I'm going to skip the debug output here, unless requested. The root cause is
relatively plain to see, and the incidence of this I'm working with locally
contains secret values.

Panic Output

Expected Behavior

I would expect that the SSM parameter type would be updated to the String type,
as supported by the SSM put-parameter API.

Actual Behavior

The provider forwards along the original key_id value originally set by TF
(alias/aws/ssm by default). However, that value should not be included in the
API request for a String type, only SecureString. So the AWS API complains,
and does not update the parameter.

The result is the error seen here:

* aws_ssm_parameter.my_param: 1 error(s) occurred:

* aws_ssm_parameter.my_param: error creating SSM parameter: ValidationException: KeyId is required for SecureString type parameter only.
    status code: 400, request id: d0b01305-01a9-478e-8e7f-e94cedd27541

Steps to Reproduce

1. terraform apply of original resource code above.
2. Update original code to the Updated snippet provided.
3. terraform apply again.

Important Factoids

I think that the fix for this may be as simple as modifying this conditional:
https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ssm_parameter.go#L214

I think it should only set the keyID on the request If, and only If, the Type
on the request is SecureString.

The PutParameter API call does support updating the type from SecureString to
String, but it will always complain if key_id is set in the request but the
type is not SecureString.

References

• #0000