New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
date source referencing managed resource proposes unnecessary changes under 0.14 #27171
Comments
Thanks for the extensive example @jrobison-sb! The data source not being able to be read during plan does make the plan far less useful, though as things update during apply, the unknown values should resolve and cause no change to the policy. Not being able to determine this from the plan however is not optimal. This appears to be an unfortunate side effect of the resolution to #25961. Due to the amount of legacy configuration that relied on the behavior of data sources behaving the way they did, we chose to recreate that behavior in the new plan code. The reason it appears to not work in the current version, is that the often used but unintended behavior was only reliable on the first apply, and could read the incorrect data on subsequent refresh+plan cycles. Correcting that possibility leads to data sources sometimes showing more changes than they did previously. What happens now is referencing a managed resource from a data source creates an implied I believe the following should make the data source plan as expected:
I need to test some more, but I think these "implied depends_on" references are reaching out too far in some cases. While that doesn't effect this particular example, I'm going to look into that further and make sure the effect is as limited as it was intended to be. |
With the added note in the docs I'm going to close this for now. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
terraform plan
should show diffs in this IAM policy only when the ARN of this bucket changes, and in0.13.5
it works as expected.Actual Behavior
But in
0.14.0
plan diffs show that the IAM policy will be changed even when the ARN of the bucket does not change.This will be easiest to explain in the
Steps to Reproduce
section.Steps to Reproduce
0.13.5
and apply the above infrastructure, with S3 encryption commented out. It will apply as expected.plan
using0.13.5
, it will show that only one resource (the bucket) is going to change. Which is the expected behavior.terraform destroy
.0.14.0
andinit
to get set up.apply
with the S3 encryption commented out, using0.14.0
. It will apply as expected.plan
using0.14.0
. It will report that the IAM policy is going to change, even though the bucket is being updated in-place and the bucket ARN isn't going to change.The bucket will be updated in-place and it's ARN isn't going to change. So
0.14.0
should report no change to the IAM policy, the same way that0.13.5
reports no change to the IAM policy.Other factoids
This behavior isn't specific to S3 either. I was able to reproduce the same thing with an in-place change to a
aws_codepipeline
resource, for example, anddata.aws_iam_policy_document
behaved similarly to the above when it referenced the ARN of that pipeline. The S3 case is just the simplest way to reproduce this with the least amount of moving parts.Initially I opened this issue on the AWS provider. But since the behavior that I'm seeing differs between 0.13 and 0.14, it was suggested in hashicorp/terraform-provider-aws#16598 (comment) that this issue be moved over to the Terraform repo.
References
hashicorp/terraform-provider-aws#16598
The text was updated successfully, but these errors were encountered: