Resources changed outside of terraform after module upgrades?

We use AWS for our cloud infrastructure. Is it normal for the drift detection to start getting triggered after child module updates? I recently went through all the repositories in our organisation and updated all of the tf versions, provider versions, and module versions. Some were quite out of date. Since i did this, ive noticed when new PRs are opened, the terraform plan output in our CI/CD pipeline is showing the “the following resources have changed outside of terraform” messages.

I’m wondering might this be a result of the various modules having been updated to include new (and deprecate old) configuraiton options for resources in AWS? As if terraform THINKS some configurations have changed outside of terraform but in actual fact, those confgurations simply were not a thing the last time the module was run?

Yes, this is quite common with provider updates, depending on the providers involved.

Hi @m477r1x,

One way this could happen is if you upgraded a provider and the provider began returning the current data for an object in a different way. From Terraform Core’s perspective the new value is different from the previous value and so it seems like a “change outside of Terraform”.

Providers can in principle avoid this by writing an upgrade rule to change the existing data to match the new shape before reading the new data from the remote system, but if a provider doesn’t do that then Terraform Core cannot distinguish between schema or data formatting changes and real changes.

Terraform v1.2 and later try to show the message about changes only if something else in the configuration seems to be affected by it, although that is a static analysis heuristic rather than an exact analysis. If you are currently using v1.1 or earlier then you might find that upgrading to latest will mean you see these messages less often.