[Bug]: Changes planned when no actual changes made #29393
Comments
speller
added
bug
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
github-actions
bot
added
service/elasticsearch
|
Hey @speller 👋 Thank you for taking the time to raise this! It's a bit difficult to say with certainty, as I'm having a bit of a hard time understanding how your configurations / modules are arranged, however, I believe this likely comes down to data resource behavior. When a data source is dependent on another object that has planned changes, the read is deferred until apply time. Any resource that then depend on that data source will show changes with |
justinretzolk
added
waiting-response
|
@justinretzolk But the issue also relates to aws_iam_policy_document and aws_iam_policy documents. The aws_iam_policy_document data resource is not dependent on anything, it's static data. Why it is planned to be changed? |
github-actions
bot
removed
the
waiting-response
|
Hey @speller 👋 Based on the output, it would appear that the module that contains the The $ tree .
.
├── main.tf
└── modules
├── null
│ └── main.tf
└── policy
└── main.tfThe contents of each of the files appears like so:
resource "null_resource" "null" {}
data "aws_iam_policy_document" "my_policy" {
statement {
sid = "AllowManageOwnVirtualMFADevice"
effect = "Allow"
actions = [
"iam:CreateVirtualMFADevice",
]
resources = [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:u2f/*"
]
}
}
output "test" {
value = data.aws_iam_policy_document.my_policy.json
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.54.0"
}
null = {
source = "hashicorp/null"
version = "3.2.1"
}
}
}
module "null" {
source = "./modules/null"
}
module "policy" {
source = "./modules/policy"
# Note that this depends_on is commented out. We'll uncomment this later to introduce a dependency
# between the two modules.
# depends_on = [
# module.null
# ]
}
output "test" {
value = module.policy.test
}With the reproduction set up this way, there is no dependency between the $ terraform plan
module.policy.data.aws_iam_policy_document.my_policy: Reading...
module.policy.data.aws_iam_policy_document.my_policy: Read complete after 0s [id=2835584606]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
+ create
Terraform will perform the following actions:
# module.null.null_resource.null will be created
+ resource "null_resource" "null" {
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ test = jsonencode(
{
+ Statement = [
+ {
+ Action = "iam:CreateVirtualMFADevice"
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:iam::*:u2f/*",
+ "arn:aws:iam::*:mfa/*",
]
+ Sid = "AllowManageOwnVirtualMFADevice"
},
]
+ Version = "2012-10-17"
}
)Note that the output shows the policy as you would expect, read during plan time. Next, we'll uncomment the $ terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# module.null.null_resource.null will be created
+ resource "null_resource" "null" {
+ id = (known after apply)
}
# module.policy.data.aws_iam_policy_document.my_policy will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "my_policy" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "iam:CreateVirtualMFADevice",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:iam::*:mfa/*",
+ "arn:aws:iam::*:u2f/*",
]
+ sid = "AllowManageOwnVirtualMFADevice"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ test = (known after apply)Note that in this case, due to the module that contains the |
|
Thank you for the explanation! |
|
I can definitely see your opinion there @speller. Truthfully, that bit comes down to Terraform Core functionality rather than something specific to the AWS Provider, so it may be worth raising an issue on that repository if you'd like to have someone from the Core team take a look and give you more pointed feedback on the design choices there. In the meantime, is there any additional help we can provide from the AWS Provider side on this particular issue, or would you feel comfortable with closing this one out? |
|
Given the conversation in the linked thread in |
|
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.3.8
AWS Provider Version
4.54.0
Affected Resource(s)
No response
Expected Behavior
No changes planned when no changes made in the configuration.
Actual Behavior
On every plan or apply on the same configuration, I have the following plan and it never disappears:
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
apply command
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: