Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes

Hello,

I proceeded with the [plan-apply] process and confirmed that it was applied normally.
If you enter [terraform plan] immediately, an update(?) occurs as shown below.
However, this is the [No changes. Your infrastructure matches the configuration.] output.

What the hell is this?

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

# module.test has changed
   ~ resource "aws_ecs" "test" {
         id              = "test_ecs"
       + labels          = {}
         tags            = {
             "Owner"                             = "Devops"
             "User"                              = "Terraform"
         }
         # (14 unchanged attributes hidden)
         # (3 unchanged blocks hidden)
     }

   # module.ecs.aws_security_group.ecs-sg has changed
   ~ resource "aws_security_group" "ecs-sg" {
         id                     = "sg-0f88"
       ~ ingress                = [
           + {
               + cidr_blocks      = []
               + from_port        = 0
               + ipv6_cidr_blocks = []
               + prefix_list_ids  = []
               + protocol         = "tcp"
               + security_groups  = [
                   + "sg-0f088",
                 ]
               + self             = false
               + to_port          = 65535
             },
           + {
               + cidr_blocks      = []
               + from_port        = 443
               + ipv6_cidr_blocks = []
               + prefix_list_ids  = []
               + protocol         = "tcp"
               + security_groups  = [
                   + "sg-0f088",
                 ]
               + self             = false
               + to_port          = 443
             },
         ]
         name                   = "ecs-sg"
         tags                   = {
             "Owner"      = "Devops"
             "User"       = "Terraform"
         }
         # (7 unchanged attributes hidden)
     }

 Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using
 ignore_changes, the following plan may include actions to undo or respond to these changes.

 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────

 No changes. Your infrastructure matches the configuration.

Your configuration already matches the changes detected above. If you'd like to update the Terraform state to
match, create and apply a refresh-only plan:
  terraform apply -refresh-only

Hi @oliverpark999,

I’m not sure exactly what you’re asking which isn’t described in the output. The diff shown under “Terraform detected the following changes made outside of Terraform” is just that, the provider has returned something different from last recorded state. In this particular case it sounds like rather than detecting some external drift, the provider is changing some of the values in a way that results in no actual changes to remote resources. While this is not technically correct behavior from the provider, because it is not triggering any changes when compared to the configuration it is mostly harmless.

From the output it also looks as if you’re not using the latest version of Terraform, which reduces this drift output to only what can be attributed to changes in the actual plan, leaving terraform apply -refresh-only as the method for seeing all external resource drift.

I think specifically what’s happened here is that there’s a aws_security_group_rule resource somewhere else in this configuration which has, in effect, modified the aws_security_group object after it was originally created. Although in this case it’s not quite right to say that the change happened “outside of Terraform”, the provider is modifying an object it previously returned later in the same run and so from the perspective of this security group resource alone this object has been modified outside of this resource, by another resource.

This seems to be the problem covered by this bug report in the provider repository:

In summary, the provider is subtly “breaking the rules” as a pragmatic way to allow specifying security group rules in two different ways: either inline in the security group resource or in separate resources. This quirk is the consequence of breaking those rules: on the next plan, the provider reconciles the inconsistency it created, causing the content of that resource to show as having changed since its most recent apply.

I Use Terraform Version 1.1.5,
Does this issue occur in that version?

When tested in 1.2.5 version, the symptoms seem to have disappeared. We need to do some more tests.

This general process occurs in every version of Terraform, when the stored state is updated to reflect what the providers report as the current state of each resource, though this was not directly shown in earlier versions. In Terraform v1.0 additional CLI output was added to help users track down unexpected external changes during a plan, often referred to as “drift”. In v1.2 this output was reduced to only what can be attributed to changes within the plan, unless a -refresh-only plan was created.