From 3ab5c630bda210ad47a553d4c75732dda7fd5ec2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Can=C3=A9vet?=
 <mickael.canevet@camptocamp.com>
Date: Tue, 13 Dec 2016 11:31:32 +0100
Subject: [PATCH 1/2] Don't remove secret, just deprecate it

---
 builtin/providers/aws/resource_aws_iam_access_key.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/builtin/providers/aws/resource_aws_iam_access_key.go b/builtin/providers/aws/resource_aws_iam_access_key.go
index 3aaf64ee9..4a8dd3d3d 100644
--- a/builtin/providers/aws/resource_aws_iam_access_key.go
+++ b/builtin/providers/aws/resource_aws_iam_access_key.go
@@ -72,6 +72,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
 		)
 	}
 
+	if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
+		return err
+	}
+
 	d.SetId(*createResp.AccessKey.AccessKeyId)
 
 	if createResp.AccessKey == nil || createResp.AccessKey.SecretAccessKey == nil {

From 72885c6736af56e2b709b05ef9d8408d8a365991 Mon Sep 17 00:00:00 2001
From: clint shryock <clint@ctshryock.com>
Date: Tue, 13 Dec 2016 09:32:04 -0600
Subject: [PATCH 2/2] provider/aws: Save secret to state in iam_access_key if
 pgp key not found

---
 builtin/providers/aws/resource_aws_iam_access_key.go      | 8 ++++----
 builtin/providers/aws/resource_aws_iam_access_key_test.go | 1 +
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/builtin/providers/aws/resource_aws_iam_access_key.go b/builtin/providers/aws/resource_aws_iam_access_key.go
index 4a8dd3d3d..515069c03 100644
--- a/builtin/providers/aws/resource_aws_iam_access_key.go
+++ b/builtin/providers/aws/resource_aws_iam_access_key.go
@@ -72,10 +72,6 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
 		)
 	}
 
-	if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
-		return err
-	}
-
 	d.SetId(*createResp.AccessKey.AccessKeyId)
 
 	if createResp.AccessKey == nil || createResp.AccessKey.SecretAccessKey == nil {
@@ -95,6 +91,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
 
 		d.Set("key_fingerprint", fingerprint)
 		d.Set("encrypted_secret", encrypted)
+	} else {
+		if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
+			return err
+		}
 	}
 
 	d.Set("ses_smtp_password",
diff --git a/builtin/providers/aws/resource_aws_iam_access_key_test.go b/builtin/providers/aws/resource_aws_iam_access_key_test.go
index 9c8ff2bfa..280b31e9f 100644
--- a/builtin/providers/aws/resource_aws_iam_access_key_test.go
+++ b/builtin/providers/aws/resource_aws_iam_access_key_test.go
@@ -29,6 +29,7 @@ func TestAccAWSAccessKey_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAccessKeyExists("aws_iam_access_key.a_key", &conf),
 					testAccCheckAWSAccessKeyAttributes(&conf),
+					resource.TestCheckResourceAttrSet("aws_iam_access_key.a_key", "secret"),
 				),
 			},
 		},