terraform plan showing strange state differences with terraform v0.15.4

[dlethin]

Hashicorp released a new feature in terraform v0.15.4 - Noting changes made outside of Terraform, and it introduces some strange behavior when using it with this gsuite provider.

I can reproduce the issue with a very simple terraform project, which looks like this:

terraform {
  required_providers {
    gsuite = {
      source = "DeviaVir/gsuite"
      version = "0.1.62"
    }
  }
}

locals {
  groups = {
    "group1" = [
      "email1@mycompany.com",
      "email2@mycompany.com"
    ]
  }
}

provider "gsuite" {}

resource "gsuite_group" "group" {
  for_each = local.groups
  email       = "internal-${each.key}@mycompany.com"
  name        = "Internal Use - ${title(each.key)} Users"
  description = "Internal Use - ${title(each.key)} Users"
}

resource "gsuite_group_members" "group" {
  for_each = local.groups
  group_email = gsuite_group.group[each.key].email
  dynamic "member" {
    for_each = toset(each.value)
    content {
      email = member.key
      role  = "MEMBER"
    }
  }
}

The sample project just creates a group and attaches two members to it. Running terraform apply works fine. The problem I run into is when the apply is then immediately followed by running terraform plan in which state changes immediately show up.

Here is the output of the subsequent plan:

✗ terraform plan
gsuite_group.group["group1"]: Refreshing state... [id=XXXXXX]
gsuite_group_members.group["group1"]: Refreshing state... [id=internal-group1@mycompany.com]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
  # gsuite_group.group["group1"] has been changed
  ~ resource "gsuite_group" "group" {
      + aliases              = []
      ~ direct_members_count = 0 -> 2
        id                   = "XXXXXX"
        name                 = "Internal Use - Group1 Users"
        # (4 unchanged attributes hidden)
    }
  # gsuite_group_members.group["group1"] has been changed
  ~ resource "gsuite_group_members" "group" {
        id          = "internal-group1@mycompany.com"
        # (1 unchanged attribute hidden)
      + member {
          + email  = "email1@mycompany.com"
          + etag   = "XXXXX"
          + kind   = "admin#directory#member"
          + role   = "MEMBER"
          + status = "ACTIVE"
          + type   = "USER"
        }
      - member {
          - email  = "email1@mycompany.com" -> null
          - etag   = "XXXXX" -> null
          - kind   = "admin#directory#member" -> null
          - role   = "MEMBER" -> null
          - status = "ACTIVE" -> null
          - type   = "USER" -> null
        }
      + member {
          + email  = "email2@mycompany.com"
          + etag   = "XXXXX"
          + kind   = "admin#directory#member"
          + role   = "MEMBER"
          + status = "ACTIVE"
          + type   = "USER"
        }
    }
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
No changes. Your infrastructure matches the configuration.
Your configuration already matches the changes detected above. If you'd like to update the Terraform state to match, create and apply a refresh-only
plan:
  terraform apply -refresh-only

What I find confusing and strange is that while I get maybe some of the reported external changes can be explained away by the new feature, in this case it seems to be done in in an inconsistent way. For example, why would the two group members be reported differently -- the first member shows and addition and then a deletion, and the second member just shows a deletion.

I would think the only thing that might reasonably change in the state is the attribute detailing the number of active members.

If I use the previous terraform version v0.15.3 for this sample project, it works the way I would expect. The project applies fine, and when I then immediately follow it with a terraform plan, there are no differences shown and the plan reports no changes.

Can this behavior be explained? Is there something this provider implementation is doing wrong that this new terraform v0.15.4 feature is now exposing? Or is there a bug in terraform v0.15.4 maybe? Or maybe there's a bug in my sample code I'm not seeing?

Thanks in advance.