How can I import an existing RDS instance without resetting its credentials

Hi everyone. We have an existing system under AWS that we’re trying to bring it under terraform management. Our process is pretty simple - write a resource, map it to an existing one using the import command, then tweak our code until plan isn’t intending to apply any changes anymore.

However we ran into an issue when trying to do this with our RDS db instance. For some reason, even when terraform plan says it’s not going to apply any changes, once we run terraform apply it triggers a credentials reset. Worse, every other resource that previously worked with that db could no longer connect to it anymore.

Our code looks something like this:

resource "aws_db_instance" "db" {
    engine   = "postgres"
    username = var.rds_username 
    password = var.rds_password
    # other stuff...

variable "rds_username" {
    type    = string 
    default = "master_username"

variable "rds_password" {
    type      = string 
    default   = "master_password"
    sensitive = true  

Note the username and password provided are the existing credentials, so even if terraform has some sort of automatic “reset” applied, it shouldn’t interfere with other services connecting to that DB, yet it still does. My suspicion is that terraform encrypts passwords in some form automatically, but I can’t confirm it and there’s no relevant information in the documentation. I tried creating a new dummy RDS db and importing it and I can confirm this is a consistent behavior and not something unique to our case.

Any help would be much appreciated, thanks!