Query re entities listed twice in state when they can be inline but are created as individual resources


I’m seeing a weird thing with terraform state and plans. With aws_instance and aws_ebs_volume, I see the EBS volume listed twice - inline within the instance, and as its own individual resource.

When we apply e.g. tag changes, they get updated against the resource, but not inline within the instance. Next time we run plan, it tells us that the inline volumes have changed outside of terraform - which can be a bit unnerving as it looks like a complete destroy/recreate. If we run apply one more time, it corrects the drift and the issue goes away until the next time.

We see the same thing with aws_security_group when using aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule. And even aws_iam_role if attaching managed policies via aws_iam_role_policy_attachment.

Some colleagues suggested using terraform apply -refresh-only to force an immediate refresh after a normal apply.

Is this kind of behaviour expected/normal? I’ve only really noticed it in the last year or so, prior to that I don’t recall ever having seen it - possibly because I previously used inline.