Terraform apply -refresh-only

pantelis · May 11, 2022, 6:10am

Hello,

I am running Terraform in AWS. After running terraform plan, I get this output.

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.cf_eu_domain_com.aws_iam_role.this has changed
  ~ resource "aws_iam_role" "this" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Service = [
                              - "edgelambda.amazonaws.com",
                                "lambda.amazonaws.com",
                              + "edgelambda.amazonaws.com",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                    = "community_lambda_role"
        name                  = "community_lambda_role"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to
undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

Your configuration already matches the changes detected above. If you'd like to update the Terraform state to match, create and apply a refresh-only plan:

I run terraform apply -refresh-only, it finishes, I run plan again and the same output appears.

It does not create any functional issue to the env. It is just a bit confusing.

Any recommendations or advises to workaround this, are welcomed and highly appreciated.

Thank you!

Pantelis

apparentlymart · May 11, 2022, 2:47pm

Hi @pantelis,

This situation can arise if either the remote system or the provider is inconsistent about whether it considers a particular difference to be just normalization (a different way to write the same thing) or drift (the new value means something different than the old).

In this case, it seems like two different things might be true together:

The remote API is not always returning these JSON arrays in a consistent order, so there is no single definition of what the normalized form of this policy would be.
The Terraform AWS provider is handling the difference correctly during planning, so it shows as “No changes”, but it isn’t handling it correctly during refresh and so it’s telling Terraform Core that the value has materially changed in the remote system.

My normal workaround for the second problem would be to reorder the elements in your input to match the normalized form returned by the remote system, so that the provider will consider them equal even though it lacks a rule for detecting normalization. However, the first problem above would defeat that if there is no single normalized order for this array; in that case, adding the missing rule to the provider would be the only recourse.

This particular situation seems familiar to me from previous discussions, so I believe the AWS provider team is already tracking it and may even have addressed it in a newer version of the AWS provider. If you aren’t on the latest version already then upgrading might help. Otherwise, I would suggest looking for a similar issue in the AWS provider’s GitHub repository that you could vote for and track to see when it’s resolved.

I’m sorry I don’t have a more immediate answer for you than that.