Order lost in aws_iam_role causing endless plan updates due to ordering of principals in aws_iam_policy_document

[jw-maynard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.1
on linux_amd64

• provider registry.terraform.io/hashicorp/archive v2.2.0
• provider registry.terraform.io/hashicorp/aws v3.70.0
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

• aws_iam_policy_document

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

locals {
  ingress_account_list = [
    "XXXXXXXXXXXX",
    "YYYYYYYYYYYY",
    "XXXXXXXXXXXX",
  ]
}

data "aws_iam_policy_document" "workspace_ingress_role_trust" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      identifiers = formatlist("arn:aws:iam::%s:root", local.ingress_account_list)
      type        = "AWS"
    }
  }
}

resource "aws_iam_role" "workspace_ingress" {
  name               = "aws_amp_ingest_role"
  assume_role_policy = data.aws_iam_policy_document.workspace_ingress_role_trust.json
}

output "workspace_ingress_role" {
  sensitive = false
  value     = aws_iam_role.workspace_ingress
}

Debug Output

Panic Output

Expected Behavior

When running multiple plans with no changes to the terraform code terraform should detect no changes

Actual Behavior

When running multiple plans the outputs are updated on every plan due to reordering of the principals

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform plan

Important Factoids

References

• Order is lost for data aws_iam_policy_document when applied to S3 buckets, iam roles, kms keys, etc #11801
• AssumeRolePolicy seems to be incorrectly normalized, resulting in re-planning for "whitespace changes" #21016
• sagemaker/model_package_group_policy: Fix equivalent policy diffs #22259

[ghost]

The symptoms also occur for lists of Federated principals:

# aws_iam_role.foo has been changed
  ~ resource "aws_iam_role" "foo" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Federated = [
                              - "arn:aws:iam::ACCOUNTID:saml-provider/saml-provider-a",
                                "arn:aws:iam::ACCOUNTID:saml-provider/saml-provider-b",
                              + "arn:aws:iam::ACCOUNTID:saml-provider/saml-provider-a",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                    = "foo"
        name                  = "foo"
        # (7 unchanged attributes hidden)
    }

This issue was reported here #11801 (comment) which was a big and messy issue with many different variations so was overlooked during the many related fixes that went in to v3.70

[mludvig]

Same issue described here with aws_ecr_repository_policy: https://stackoverflow.com/questions/68870558/make-terraform-ignore-the-order-of-list-items-returned-from-the-service

[AnthonyFoiani-at]

Should we continue collecting places where this bites us, or would you prefer independent bugs?

I don't think I've seen this case mentioned yet. (This was in the "changes made outside of Terraform" portion of the output.)

  ~ resource "aws_alb" "rollbar_lambda_webhook_handler_alb" {
      + desync_mitigation_mode     = "defensive"
      + drop_invalid_header_fields = false
      + enable_waf_fail_open       = false
        id                         = "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/rollbar-lambda/deadbeef"
        name                       = "rollbar-lambda"
        tags                       = {}
      + tags_all                   = {}
        # (13 unchanged attributes hidden)


      + subnet_mapping {
          + subnet_id = "subnet-xxxxxxxx6742c23a4"
        }
      + subnet_mapping {
          + subnet_id = "subnet-yyyyyyyyb0c2bf4c7"
        }
      - subnet_mapping {
          - subnet_id = "subnet-xxxxxxxx6742c23a4" -> null
        }
      - subnet_mapping {
          - subnet_id = "subnet-yyyyyyyyb0c2bf4c7" -> null
        }

        # (2 unchanged blocks hidden)
    }

Edited to add: Terraform 1.1.3, AWS provider 3.72.0

[akloss-cibo]

Me too. Many differences in plan reported now that did not report differences in terraform 0.13.

Version info:

Terraform v1.1.4
on linux_amd64

• provider registry.terraform.io/alexkappa/auth0 v0.26.1
• provider registry.terraform.io/hashicorp/aws v3.74.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/random v3.1.0
• provider registry.terraform.io/integrations/github v4.19.2

[Synohara]

Hi! I've created a Pull Request to fix this Issue.
#23060

[hoxu]

I think #22314 and #22560 are also examples of diffs being shown because AWS APIs don't sort things properly.

[github-actions]

This functionality has been released in v4.23.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.