[Bug]:

[okonon]

Terraform Core Version

v1.7.2

AWS Provider Version

aws v4.64.0

Affected Resource(s)

I have following resource:

resource "aws_cognito_identity_provider" "this" {
  user_pool_id  = aws_cognito_user_pool.pool.id
  provider_name = "bh-${terraform.workspace}-saml-sso"
  provider_type = "SAML"

  provider_details = {
    IDPSignout            = "true"
    MetadataURL           = var.cognito_bh_sso_metadata_url
    SLORedirectBindingURI = var.cognito_bh_sso_login_url
    SSORedirectBindingURI = var.cognito_bh_sso_login_url
  }

  attribute_mapping = {
    "custom:Groups" = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
    email           = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    family_name     = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    given_name      = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    name            = "http://schemas.microsoft.com/identity/claims/displayname"
  }
}

Expected Behavior

no changes should be detected

Actual Behavior

for some reason out of the blue now when i run terraform apply following changes are detected:

# module.cognito-main-user-auth.aws_cognito_identity_provider.this will be updated in-place
  ~ resource "aws_cognito_identity_provider" "this" {
        id                = "us-east-1_RplR9wClp:bh-dev-saml-sso"
      ~ provider_details  = {
          - "ActiveEncryptionCertificate" = "MIICvTCCAaWgAwIB......" -> null
            # (4 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

n/a

Steps to Reproduce

n/a

Debug Output

n/a

Panic Output

n/a

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[finwo]

After testing on a non-production-environment, running apply did not brick the provider.

While annoying due to a whole lot of output, in our environment this seems ok work around (do keep reading the changes before saying yes though).

---

Yes, reading "it works for me" can be annoying.. Here's an explanation:

It's a new feature of AWS which currently not supported by terraform provider. As its readonly value, there is also no way to update it, even terraform tries to do that, nothing changes. That's why you can simply ignore this drift

[Arlington1985]

it's also happening with terraform=1.6.5 and aws-provider~> 4.56.0

[jeff-carey]

I have a PR open for our Terraform code which wrote a plan to a comment on that PR a couple of days ago, which did not exhibit that behavior. Running the PR workflow again today (the PR is still open) with the exact same version of Terraform and the AWS provider produces a different plan which does exhibit this behavior. There seems to have been a change underlying both Terraform and the AWS provider, presumably within the AWS API.

[jpiazza35]

happening the same in terraform 1.4.6

[kclarkey]

Seems functionality made it out before the Docs/Announcement which just posted.

[fabio-sgro-assistdigital]

happening also with terraform v1.5(.7) and aws v5.32.1

[jpiazza35]

should we wait for something , should we add something in the terrsform code , can we merge the code without issues?

[Arlington1985]

should we wait for something , should we add something in the terrsform code , can we merge the code without issues?

Yes, it's safe to run terraform apply

[jeff-carey]

Could someone more explicitly explain what has happened here? Why is it safe to apply? Is there a reason other than "we tried it and it didn't seem to cause any problems"?

A workaround is to explicitly specify the value for ActiveEncryptionCertificate, as in...

provider_details = {
  ...

  ActiveEncryptionCertificate = "put the certificate value observed in your plan here"
}

That'll result in a plan with no changes to that value.

[Arlington1985]

It's a new feature of AWS which currently not supported by terraform provider. As its readonly value, there is also no way to update it, even terraform tries to do that, nothing changes. That's why you can simply ignore this drift

[mar-pan]

Simple fix

lifecycle {
    ignore_changes = [provider_details["ActiveEncryptionCertificate"]]
  }

[jeff-carey]

Simple fix

lifecycle {
    ignore_changes = [provider_details["ActiveEncryptionCertificate"]]
  }

Thanks for that, @mar-pan! I had already tried ignore_changes with no luck, but my syntax must have been wrong (without generating any errors). Yours works.

[github-actions]

This functionality has been released in v5.41.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.