awscc_ec2_verified_access_trust_provider: resource gets replaced with every apply even with no changes

[takeauk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.8.2
on linux_amd64
provider registry.terraform.io/hashicorp/awscc v0.76.0

Affected Resource(s)

• awscc_ec2_verified_access_trust_provider

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_ec2_verified_access_trust_provider" "example" {
  policy_reference_name    = "example"
  description              = "example"
  trust_provider_type      = "user"
  user_trust_provider_type = "oidc"
  oidc_options = {
    authorization_endpoint = "https://example.com/oauth2/v1/authorize"
    client_id              = "example"
    client_secret          = "example"
    issuer                 = "https://example.com"
    scope                  = "openid"
    token_endpoint         = "https://example.com/oauth2/v1/token"
    user_info_endpoint     = "https://example.com/oauth2/v1/userinfo"
  }
}

Debug Output

  # awscc_ec2_verified_access_trust_provider.example must be replaced
-/+ resource "awscc_ec2_verified_access_trust_provider" "example" {
      ~ creation_time                     = "2024-05-07T16:46:59" -> (known after apply)
      + device_options                    = (known after apply) # forces replacement
      + device_trust_provider_type        = (known after apply) # forces replacement
      ~ id                                = "vatp-0b114616efb5af43c" -> (known after apply)
      ~ last_updated_time                 = "2024-05-07T16:46:59" -> (known after apply)
      ~ oidc_options                      = {
          ~ client_secret          = "REDACTED" -> "example"
            # (6 unchanged attributes hidden)
        }
      ~ sse_specification                 = {
          ~ customer_managed_key_enabled = false -> (known after apply)
          + kms_key_arn                  = (known after apply)
        } -> (known after apply)
      + tags                              = (known after apply)
      ~ verified_access_trust_provider_id = "vatp-0b114616efb5af43c" -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Panic Output

Expected Behavior

No changes detected for the awscc_ec2_verified_access_trust_provider resource and no replace.

Actual Behavior

Configuring a User-identity Trust Provider results in differences being detected in the options specified each time the Device-based Trust Provider is configured, leading to resource replacement.

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

References

[wellsiau-aws]

Both attributes below force replacement:

      + device_options                    = (known after apply) # forces replacement
      + device_trust_provider_type        = (known after apply) # forces replacement

Both attributes were stored as null in the Terraform state:

      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "creation_time": "2024-05-09T04:58:15",
            "description": "example",
            "device_options": null,
            "device_trust_provider_type": null,
. . .

And these attributes value was not returned by CCAPI GetResource:

aws cloudcontrol get-resource --type-name AWS::EC2::VerifiedAccessTrustProvider --identifier vatp-078150eb8cbc67b09 | jq -r ".ResourceDescription.Properties" | jq "."
{
  "PolicyReferenceName": "example",
  "Description": "example",
  "OidcOptions": {
    "TokenEndpoint": "https://example.com/oauth2/v1/token",
    "Scope": "openid",
    "Issuer": "https://example.com",
    "ClientSecret": "REDACTED",
    "UserInfoEndpoint": "https://example.com/oauth2/v1/userinfo",
    "ClientId": "example",
    "AuthorizationEndpoint": "https://example.com/oauth2/v1/authorize"
  },
  "VerifiedAccessTrustProviderId": "vatp-078150eb8cbc67b09",
  "CreationTime": "2024-05-09T04:58:15",
  "TrustProviderType": "user",
  "LastUpdatedTime": "2024-05-09T04:58:15",
  "SseSpecification": {
    "CustomerManagedKeyEnabled": false
  },
  "UserTrustProviderType": "oidc",
  "Tags": []
}

[wellsiau-aws]

Related to #1139