-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unhelpful "changes made outside of terraform" due to AWS vs tf representation in 1.0 #20107
Comments
Potentially related: jen20/awspolicyequivalence#10. |
For json objects you should be doing a jsondiff and not a text diff. That would take care of this. In json there is no difference for something like this:
The list is the same but it comes out in different order. But json doesn't care about the order so neither should the aws terraform provider. |
this core bug report is also related: hashicorp/terraform#28803 |
I'm seeing what might be a related issue with |
This is not true, unfortunately. The
So a JSON diff should show a difference if the order of elements in a list/array changes. The problem isn't that Terraform is detecting a difference, the problem is that AWS isn't respecting the order of elements that are provided in a policy and IAM is re-ordering them as it pleases. i.e. AWS is modifying the policy document on its own and Terraform is just detecting the change. |
Similar error with AWS WAF
|
Hey all,
|
Here's a new, particularly useless example from aws provider 3.64.0:
That is: there were no changes! |
This has not been fixed. It's better now, but I still see plenty of:
|
We still have this issue with Terraform 1.1.7 Provider AWS 4.8.0 The issue is on |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
I'm filing this as a bug report, though perhaps it's a feature request.
terraform 1.0 warns the user when a resource has been changed outside of terraform. In some cases, I'm seeing differences that are semantically equivalent. This looks to be due to the AWS provider's representation differing from the AWS API's representation. As a result, terraform seems to always think someone has changed the resources. This significantly reduces the utility of the outside changes feature.
The reference issues contains a terraform core issue about the lexicographic iteration behavior of
jsonecode
. In the case of the policy document, this is probably the cause.Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
aws_iam_policy_document
aws_s3_bucket
(probably any resource which support optionaltags
?)Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Sample for IAM:
Sample for S3:
Expected Behavior
An empty tags map or a re-ordered list in a policy shouldn't count as an outside change, since there is no semantic difference.
Actual Behavior
Terraform produces copious details on changes which aren't really changes:
Steps to Reproduce
terraform apply
terraform plan
Important Factoids
References
The text was updated successfully, but these errors were encountered: