Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes

oliverpark999 · July 14, 2022, 1:45am

Hello,

I proceeded with the [plan-apply] process and confirmed that it was applied normally.
If you enter [terraform plan] immediately, an update(?) occurs as shown below.
However, this is the [No changes. Your infrastructure matches the configuration.] output.

What the hell is this?

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

# module.test has changed
   ~ resource "aws_ecs" "test" {
         id              = "test_ecs"
       + labels          = {}
         tags            = {
             "Owner"                             = "Devops"
             "User"                              = "Terraform"
         }
         # (14 unchanged attributes hidden)
         # (3 unchanged blocks hidden)
     }

   # module.ecs.aws_security_group.ecs-sg has changed
   ~ resource "aws_security_group" "ecs-sg" {
         id                     = "sg-0f88"
       ~ ingress                = [
           + {
               + cidr_blocks      = []
               + from_port        = 0
               + ipv6_cidr_blocks = []
               + prefix_list_ids  = []
               + protocol         = "tcp"
               + security_groups  = [
                   + "sg-0f088",
                 ]
               + self             = false
               + to_port          = 65535
             },
           + {
               + cidr_blocks      = []
               + from_port        = 443
               + ipv6_cidr_blocks = []
               + prefix_list_ids  = []
               + protocol         = "tcp"
               + security_groups  = [
                   + "sg-0f088",
                 ]
               + self             = false
               + to_port          = 443
             },
         ]
         name                   = "ecs-sg"
         tags                   = {
             "Owner"      = "Devops"
             "User"       = "Terraform"
         }
         # (7 unchanged attributes hidden)
     }

 Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using
 ignore_changes, the following plan may include actions to undo or respond to these changes.

 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────

 No changes. Your infrastructure matches the configuration.

Your configuration already matches the changes detected above. If you'd like to update the Terraform state to
match, create and apply a refresh-only plan:
  terraform apply -refresh-only

jbardin · July 14, 2022, 1:43pm

Hi @oliverpark999,

I’m not sure exactly what you’re asking which isn’t described in the output. The diff shown under “Terraform detected the following changes made outside of Terraform” is just that, the provider has returned something different from last recorded state. In this particular case it sounds like rather than detecting some external drift, the provider is changing some of the values in a way that results in no actual changes to remote resources. While this is not technically correct behavior from the provider, because it is not triggering any changes when compared to the configuration it is mostly harmless.

From the output it also looks as if you’re not using the latest version of Terraform, which reduces this drift output to only what can be attributed to changes in the actual plan, leaving terraform apply -refresh-only as the method for seeing all external resource drift.

apparentlymart · July 14, 2022, 2:53pm

I think specifically what’s happened here is that there’s a aws_security_group_rule resource somewhere else in this configuration which has, in effect, modified the aws_security_group object after it was originally created. Although in this case it’s not quite right to say that the change happened “outside of Terraform”, the provider is modifying an object it previously returned later in the same run and so from the perspective of this security group resource alone this object has been modified outside of this resource, by another resource.

This seems to be the problem covered by this bug report in the provider repository:

github.com/hashicorp/terraform-provider-aws

Terraform detects changes made with terraform as outside changes

opened 02:29PM - 22 Dec 21 UTC

zoltan-toth-mw

service/ec2

### Community Note * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment  ### Terraform Version  ``` Terraform v1.1.2 on darwin_amd64 + provider registry.terraform.io/hashicorp/aws v3.70.0 + provider registry.terraform.io/hashicorp/template v2.2.0 ``` ### Terraform Configuration Files  ```terraform resource "aws_route" "kubernetes_destinations" { for_each = local.route_tables route_table_id = each.key destination_cidr_block = "10.103.0.0/16" transit_gateway_id = data.aws_ec2_transit_gateway.tgw.id } ``` ### Expected Behavior It should not report changes made with terraform as changes from the outside. ### Actual Behavior It reports changes made with terraform as they were made outside of it. ### Steps to Reproduce 1. I added the following resource to my terraform config: ```terraform resource "aws_route" "kubernetes_destinations" { for_each = local.route_tables route_table_id = each.key destination_cidr_block = "10.103.0.0/16" transit_gateway_id = data.aws_ec2_transit_gateway.tgw.id } ``` 2. I ran terraform apply. It already complained about my previous apply like it was made outside of terraform. ```terraform Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": # module.vpc.aws_route_table.private[0] has changed ~ resource "aws_route_table" "private" { id = "rtb-0b1REDACTED" ~ route = [ + { + carrier_gateway_id = "" + cidr_block = "10.15.0.0/16" + destination_prefix_list_id = "" + egress_only_gateway_id = "" [...] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_route.kubernetes_destinations["rtb-0b14REDACTED"] will be created + resource "aws_route" "kubernetes_destinations" { + destination_cidr_block = "10.103.0.0/16" + id = (known after apply) + instance_id = (known after apply) + instance_owner_id = (known after apply) + network_interface_id = (known after apply) + origin = (known after apply) + route_table_id = "rtb-0b1REDACTED" + state = (known after apply) + transit_gateway_id = "tgw-0e8dREDACTED" } [...] Plan: 3 to add, 0 to change, 0 to destroy. aws_route.kubernetes_destinations["rtb-08eREDACTED"]: Creating... [...] Apply complete! Resources: 3 added, 0 changed, 0 destroyed. ``` 3. I ran terraform plan and I saw my recently apply changes reported as non terraform changes: ```terraform Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": # module.vpc.aws_route_table.private[0] has changed ~ resource "aws_route_table" "private" { id = "rtb-0b1REDACTED" ~ route = [ + { + carrier_gateway_id = "" + cidr_block = "10.103.0.0/16" + destination_prefix_list_id = "" + egress_only_gateway_id = "" + gateway_id = "" + instance_id = "" + ipv6_cidr_block = "" + local_gateway_id = "" + nat_gateway_id = "" + network_interface_id = "" + transit_gateway_id = "tgw-0e8REDACTED" + vpc_endpoint_id = "" + vpc_peering_connection_id = "" }, # (2 unchanged elements hidden) ] tags = { "Name" = "staging-private-a" } # (5 unchanged attributes hidden) } # module.vpc.aws_route_table.private[1] has changed #... ``` 4. Checked the remote state file, the changes are there though... ``` { "index_key": "rtb-0b1REDACTED", "schema_version": 0, "attributes": { "carrier_gateway_id": "", "destination_cidr_block": "10.103.0.0/16", "destination_ipv6_cidr_block": "", "destination_prefix_list_id": "", "egress_only_gateway_id": "", "gateway_id": "", "id": "r-rtb-0b14REDACTED", "instance_id": "", "instance_owner_id": "", "local_gateway_id": "", "nat_gateway_id": "", "network_interface_id": "", "origin": "CreateRoute", "route_table_id": "rtb-0b14REDACTED", "state": "active", "timeouts": null, "transit_gateway_id": "tgw-0e8REDACTED", "vpc_endpoint_id": "", "vpc_peering_connection_id": "" }, "sensitive_attributes": [], "private": "REDACTED", "dependencies": [ "data.aws_ec2_transit_gateway.tgw", "module.vpc.aws_route_table.private" ] } ``` 5. Note that the complaint that was there before the apply is not reported anymore, only the most recent changes, the latest apply is reported. I saw this issue after I created the vpc too. ### Notes Reported it as a generic terraform problem before: https://github.com/hashicorp/terraform/issues/30239

In summary, the provider is subtly “breaking the rules” as a pragmatic way to allow specifying security group rules in two different ways: either inline in the security group resource or in separate resources. This quirk is the consequence of breaking those rules: on the next plan, the provider reconciles the inconsistency it created, causing the content of that resource to show as having changed since its most recent apply.

oliverpark999 · July 14, 2022, 11:45pm

I Use Terraform Version 1.1.5,
Does this issue occur in that version?

oliverpark999 · July 15, 2022, 12:43am

When tested in 1.2.5 version, the symptoms seem to have disappeared. We need to do some more tests.

jbardin · July 15, 2022, 1:52pm

This general process occurs in every version of Terraform, when the stored state is updated to reflect what the providers report as the current state of each resource, though this was not directly shown in earlier versions. In Terraform v1.0 additional CLI output was added to help users track down unexpected external changes during a plan, often referred to as “drift”. In v1.2 this output was reduced to only what can be attributed to changes within the plan, unless a -refresh-only plan was created.