Random and persistent rearrangements of objects within array of jsonencode function

[pantelis-karamolegkos]

Terraform Version

▶ tf version
Terraform v1.0.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.60.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

Your version of Terraform is out of date! The latest version
is 1.0.8. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

s3_policy.json file

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sid1",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::12345678:user/user1",
                    "${user_passed_as_variable}",
                    "arn:aws:iam::12345678:user/user2",
                    "arn:aws:iam::12345678:user/user3",
                    "arn:aws:iam::12345678:user/user4"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::${my_bucket}",
                "arn:aws:s3:::${my_bucket}/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_bucket*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

data "template_file" "bucket_policy_template" {
  template = file("s3_policy.json")

  vars = {
    my_bucket                 = aws_s3_bucket.my_bucket.id
    user_passed_as_variable   = aws_iam_user.my_user.arn
    }
}

resource "aws_s3_bucket_policy" "my_bucket_policy" {
  policy = data.template_file.bucket_policy_template.rendered
  bucket = aws_s3_bucket.my_bucket.id
}

Expected Behavior

We were progressively upgrading the above resource from 0.11 --> 0.12 --> 0.13 --> 0.14 --> 0.15 --> 1.06

Despite the process running smoothly up until (including) 0.14, the above resource started showing changes on our first plan on 0.15 (same thing persists after moving to 1.0.6 though)

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # aws_s3_bucket_policy.my_bucket_policy has been changed
~resource "aws_s3_bucket_policy" "my_bucket_policy" {
    id = "my-bucket-policy"
    ~policy = jsonencode(
        ~{
              ~Statement =[
        ~{
                      ~NotPrincipal = {
                          ~AWS =[
            - "arn:aws:iam::12345678:user/user1",
            - "arn:aws:iam::12345678:user/user-passed-as-variable",
            + "arn:aws:iam::12345678:user/user2",
            "arn:aws:iam::12345678:user/user4",,
            + "arn:aws:iam::12345678:user/user-passed-as-variable",
            "arn:aws:iam::12345678:user/user3",,
            - "arn:aws:iam::12345678:user/user2",
            + "arn:aws:iam::12345678:user/user1",,
        ]
                        }
                        #(4 unchanged elements hidden)
                    },
{
    Action = "s3:*"
    Condition = {
        Bool = {
            aws: SecureTransport = "false"
        }
    }
    Effect = "Deny"
    Principal = "*"
    Resource = "arn:aws:s3:::my-bucket/*"
},
                ]
                #(1 unchanged element hidden)
            }
        )
        #(1 unchanged attribute hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

No changes.Your infrastructure matches the configuration.

This seems IMPOSSIBLE to align no matter what

(we have tried apply, apply --refresh-only, several permutations of the list in the json array holding the users...)

[jbardin]

Hello,

This appears to be an issue or question with the AWS provider, not with Terraform itself. You can see existing issues and file a new one in their repository here: https://github.com/hashicorp/terraform-provider-aws/issues. If you have questions about Terraform or the AWS provider, it's better to use the community forum where there are more people ready to help. The GitHub issues here are monitored only by our few core maintainers.

Looking at the open issue in the provider, it looks like they have an issue open already for this particular resource: hashicorp/terraform-provider-aws#19627

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.