Terraform ideompotency rules of thumb

Hi team,

Another day - another challenge, any feedback appreciated.

Kindly suggest what rules we need to follow or simply memorize by hard to make changes readable.

Example of plan output that we deal with a lot


Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # aws_s3_bucket.this has changed
  ~ resource "aws_s3_bucket" "this" {
        id                          = "adl-enriched-ap-cf-salesforce-outbound-dev-46x1vb"
      ~ policy                      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              + "arn:aws:iam::111111111111:role/IAMAdminAccessRole",
                              + "arn:aws:iam::111111111111:role/DeveloperAccessRole",
                              + "arn:aws:iam::111111111111:role/BillingAccessRole",
                              + "arn:aws:iam::111111111111:role/DataConsumerAccessRole",
                                "arn:aws:iam::111111111111:role/SupportAccessRole",
                                "arn:aws:iam::111111111111:role/DataScientistAccessRole",
                              + "arn:aws:iam::111111111111:role/SecurityAuditAccessRole",
                              + "arn:aws:iam::111111111111:role/DevOpsAccessRole",
                              + "arn:aws:iam::111111111111:role/NetworkAdminAccessRole",
                                "arn:aws:iam::111111111111:role/EC2AdminAccessRole",
                                # (1 unchanged element hidden)
                                "arn:aws:iam::111111111111:role/S3AdminAccessRole",
                              - "arn:aws:iam::111111111111:role/DevOpsAccessRole",
                              - "arn:aws:iam::111111111111:role/SecurityAuditAccessRole",
                              - "arn:aws:iam::111111111111:role/PowerUserAccessRole",
                              - "arn:aws:iam::111111111111:role/DeveloperAccessRole",
                              - "arn:aws:iam::111111111111:role/IAMAdminAccessRole",
                              - "arn:aws:iam::111111111111:role/NetworkAdminAccessRole",
                              - "arn:aws:iam::111111111111:role/BillingAccessRole",
                              - "arn:aws:iam::111111111111:role/DataConsumerAccessRole",
                                "arn:aws:iam::111111111111:role/AdministratorAccessRole",
                              + "arn:aws:iam::111111111111:role/PowerUserAccessRole",
                                "arn:aws:iam::111111111111:role/DataPublisherAccessRole",
                            ]
                        }
                        # (5 unchanged elements hidden)
                    },
....

I suspect but didn’t test the right way to define to policy not with json but with aws_iam_policy_document but that is probably just a tip of an iceberg.

As always, appreciate you feedback.

The aws_iam_policy_document data source is just a way to manufacture JSON so I don’t think that’s going to help you at all.

The output you show here suggests that AWS has re-ordered the principal ARNs within the policy. I don’t use AWS much, but if this is a normal thing for it to do, then I would suggest reporting the problem as a GitHub issue on terraform-provider-aws - as it is a provider’s job to deal with canonicalising away non-semantic changes to data representation that are specific to a particular remote system.

1 Like