Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_fms_policy will not remove last account from include_map:account #25865

Open
joshgch opened this issue Jul 18, 2022 · 1 comment
Open

aws_fms_policy will not remove last account from include_map:account #25865

joshgch opened this issue Jul 18, 2022 · 1 comment
Labels
bug Addresses a defect in current functionality. service/fms Issues and PRs that pertain to the fms service.

Comments

@joshgch
Copy link

joshgch commented Jul 18, 2022
edited

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.2.2
provider registry.terraform.io/hashicorp/aws v4.22.0

Affected Resource(s)

  • aws_fms_policy

Expected Behavior

Removing accounts from include_map:account should result in all removal of those accounts.

Actual Behavior

The plan shows the removal but after a successful apply, no change is actually made.

  include_map {
    account = []
    orgunit = [
      "ou-********"
    ]
  }
Terraform will perform the following actions:

  # aws_fms_policy.waf will be updated in-place
  ~ resource "aws_fms_policy" "waf" {
        id                                 = "*******"
        name                               = "waf"
        # (* unchanged attributes hidden)


      ~ include_map {
          ~ account = [
              - "1234567890",
            ]
            # (1 unchanged attribute hidden)
        }

        # (* unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

After running the apply, the account is never removed. Subsequent attempts to apply with perform the same action. Removing the account manually from the AWS console will result in no changes found by Terraform.

Steps to Reproduce

  1. Using aws_fms_policy specify both an account and an ou in include_map
  2. Terraform apply
  3. Remove the account from include_map
  4. Terraform apply
  5. Validate that the account is not actually removed
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/fms Issues and PRs that pertain to the fms service. labels Jul 18, 2022
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 21, 2022
@srinisakh
Copy link

srinisakh commented Sep 19, 2023
edited

This happens with exclude_map too
tested with following versions

Terraform v1.5.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.67.0

and

Terraform v1.5.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.17.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/fms Issues and PRs that pertain to the fms service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@srinisakh @justinretzolk @joshgch