hashicorp · eugercek · Nov 9, 2024 · Nov 9, 2024 · Nov 10, 2024 · Nov 10, 2024
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_key_pair: Import of aws_key_pair includes key pair, fixes recreation.
+```
@@ -4,7 +4,6 @@
 package ec2
 
 import (
-	"bytes"
 	"context"
 	"log"
 	"strings"
@@ -24,7 +23,6 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
-	"golang.org/x/crypto/ssh"
 )
 
 // @SDKResource("aws_key_pair", name="Key Pair")
@@ -81,9 +79,10 @@ func resourceKeyPair() *schema.Resource {
 				Computed: true,
 			},
 			names.AttrPublicKey: {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: verify.SuppressEquivalentOpenSSHPublicKeyDiffs,
 				StateFunc: func(v interface{}) string {
 					switch v := v.(type) {
 					case string:
@@ -150,6 +149,7 @@ func resourceKeyPairRead(ctx context.Context, d *schema.ResourceData, meta inter
 	d.Set("key_name_prefix", create.NamePrefixFromName(aws.ToString(keyPair.KeyName)))
 	d.Set("key_pair_id", keyPair.KeyPairId)
 	d.Set("key_type", keyPair.KeyType)
+	d.Set(names.AttrPublicKey, keyPair.PublicKey)
 
 	setTagsOut(ctx, keyPair.Tags)
 
@@ -179,21 +179,3 @@ func resourceKeyPairDelete(ctx context.Context, d *schema.ResourceData, meta int
 
 	return diags
 }
-
-// OpenSSHPublicKeysEqual returns whether or not two OpenSSH public key format strings represent the same key.
-// Any key comment is ignored when comparing values.
-func openSSHPublicKeysEqual(v1, v2 string) bool {
-	key1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(v1))
-
-	if err != nil {
-		return false
-	}
-
-	key2, _, _, _, err := ssh.ParseAuthorizedKey([]byte(v2))
-
-	if err != nil {
-		return false
-	}
-
-	return key1.Type() == key2.Type() && bytes.Equal(key1.Marshal(), key2.Marshal())
-}
@@ -10,7 +10,7 @@ import (
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
-	tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -82,7 +82,7 @@ func TestAccEC2KeyPairDataSource_includePublicKey(t *testing.T) {
 					resource.TestCheckResourceAttrPair(dataSource1Name, "key_name", resourceName, "key_name"),
 					resource.TestCheckResourceAttrPair(dataSource1Name, "key_pair_id", resourceName, "key_pair_id"),
 					resource.TestCheckResourceAttrWith(dataSource1Name, names.AttrPublicKey, func(v string) error {
-						if !tfec2.OpenSSHPublicKeysEqual(v, publicKey) {
+						if !verify.SuppressEquivalentOpenSSHPublicKeyDiffs("", v, publicKey, nil) {
 							return fmt.Errorf("Attribute 'public_key' expected %q, not equal to %q", publicKey, v)
 						}
 

@@ -17,6 +17,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	tfec2 "github.com/hashicorp/terraform-provider-aws/internal/service/ec2"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
@@ -45,14 +46,19 @@ func TestAccEC2KeyPair_basic(t *testing.T) {
 					resource.TestMatchResourceAttr(resourceName, "fingerprint", regexache.MustCompile(`[0-9a-f]{2}(:[0-9a-f]{2}){15}`)),
 					resource.TestCheckResourceAttr(resourceName, "key_name", rName),
 					resource.TestCheckResourceAttr(resourceName, "key_name_prefix", ""),
-					resource.TestCheckResourceAttr(resourceName, names.AttrPublicKey, publicKey),
+					resource.TestCheckResourceAttrWith(resourceName, names.AttrPublicKey, func(v string) error {
+						if !verify.SuppressEquivalentOpenSSHPublicKeyDiffs("", v, publicKey, nil) {
+							return fmt.Errorf("Attribute 'public_key' expected %q, not equal to %q", publicKey, v)
+						}
+
+						return nil
+					}),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{names.AttrPublicKey},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 		},
 	})
@@ -81,13 +87,19 @@ func TestAccEC2KeyPair_tags(t *testing.T) {
 					testAccCheckKeyPairExists(ctx, resourceName, &keyPair),
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "1"),
 					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsKey1, acctest.CtValue1),
+					resource.TestCheckResourceAttrWith(resourceName, names.AttrPublicKey, func(v string) error {
+						if !verify.SuppressEquivalentOpenSSHPublicKeyDiffs("", v, publicKey, nil) {
+							return fmt.Errorf("Attribute 'public_key' expected %q, not equal to %q", publicKey, v)
+						}
+
+						return nil
+					}),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{names.AttrPublicKey},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 			{
 				Config: testAccKeyPairConfig_tags2(rName, publicKey, acctest.CtKey1, acctest.CtValue1Updated, acctest.CtKey2, acctest.CtValue2),
@@ -132,13 +144,19 @@ func TestAccEC2KeyPair_nameGenerated(t *testing.T) {
 					testAccCheckKeyPairExists(ctx, resourceName, &keyPair),
 					acctest.CheckResourceAttrNameGenerated(resourceName, "key_name"),
 					resource.TestCheckResourceAttr(resourceName, "key_name_prefix", "terraform-"),
+					resource.TestCheckResourceAttrWith(resourceName, names.AttrPublicKey, func(v string) error {
+						if !verify.SuppressEquivalentOpenSSHPublicKeyDiffs("", v, publicKey, nil) {
+							return fmt.Errorf("Attribute 'public_key' expected %q, not equal to %q", publicKey, v)
+						}
+
+						return nil
+					}),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{names.AttrPublicKey},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 		},
 	})
@@ -166,13 +184,19 @@ func TestAccEC2KeyPair_namePrefix(t *testing.T) {
 					testAccCheckKeyPairExists(ctx, resourceName, &keyPair),
 					acctest.CheckResourceAttrNameFromPrefix(resourceName, "key_name", "tf-acc-test-prefix-"),
 					resource.TestCheckResourceAttr(resourceName, "key_name_prefix", "tf-acc-test-prefix-"),
+					resource.TestCheckResourceAttrWith(resourceName, names.AttrPublicKey, func(v string) error {
+						if !verify.SuppressEquivalentOpenSSHPublicKeyDiffs("", v, publicKey, nil) {
+							return fmt.Errorf("Attribute 'public_key' expected %q, not equal to %q", publicKey, v)
+						}
+
+						return nil
+					}),
 				),
 			},
 			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{names.AttrPublicKey},
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
 			},
 		},
 	})

@@ -253,7 +253,6 @@ var (
 	NewAttributeFilterList                                     = newAttributeFilterList
 	NewCustomFilterList                                        = newCustomFilterList
 	NewTagFilterList                                           = newTagFilterList
-	OpenSSHPublicKeysEqual                                     = openSSHPublicKeysEqual
 	ParseInstanceType                                          = parseInstanceType
 	ProtocolForValue                                           = protocolForValue
 	ProtocolStateFunc                                          = protocolStateFunc

@@ -5477,7 +5477,8 @@ func findKeyPairs(ctx context.Context, conn *ec2.Client, input *ec2.DescribeKeyP
 
 func findKeyPairByName(ctx context.Context, conn *ec2.Client, name string) (*awstypes.KeyPairInfo, error) {
 	input := &ec2.DescribeKeyPairsInput{
-		KeyNames: []string{name},
+		KeyNames:         []string{name},
+		IncludePublicKey: aws.Bool(true),
 	}
 
 	output, err := findKeyPair(ctx, conn, input)

@@ -0,0 +1,28 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package verify
+
+import (
+	"bytes"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"golang.org/x/crypto/ssh"
+)
+
+// SuppressEquivalentOpenSSHPublicKeyDiffs returns whether two OpenSSH public key format strings represent the same key.
+// Any key comment is ignored when comparing values.
+func SuppressEquivalentOpenSSHPublicKeyDiffs(k, old, new string, d *schema.ResourceData) bool {
+	oldKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(old))
+	if err != nil {
+		return false
+	}
+
+	newKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(new))
+
+	if err != nil {
+		return false
+	}
+
+	return oldKey.Type() == newKey.Type() && bytes.Equal(oldKey.Marshal(), newKey.Marshal())
+}
@@ -64,5 +64,3 @@ Using `terraform import`, import Key Pairs using the `key_name`. For example:
 ```console
 % terraform import aws_key_pair.deployer deployer-key
 ```
-
-~> **NOTE:** The AWS API does not include the public key in the response, so `terraform apply` will attempt to replace the key pair. There is currently no supported workaround for this limitation.