search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

Perpetual differences in state after upgrading AFT version #344

Closed mliwak closed 1 year ago

mliwak commented 1 year ago

AFT Version: 1.10.0

Terraform Version & Provider Versions

terraform version

Terraform v1.4.5

on darwin_arm64

+ provider [registry.terraform.io/hashicorp/archive](http://registry.terraform.io/hashicorp/archive) v2.3.0

+ provider [registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws) v4.63.0

+ provider [registry.terraform.io/hashicorp/local](http://registry.terraform.io/hashicorp/local) v2.4.0

+ provider [registry.terraform.io/hashicorp/random](http://registry.terraform.io/hashicorp/random) v3.5.1

+ provider [registry.terraform.io/hashicorp/time](http://registry.terraform.io/hashicorp/time) v0.9.1

terraform providers

.

├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.0.0, < 5.0.0

├── module.control_tower_account_factory

│   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0, < 5.0.0

│   ├── provider[[registry.terraform.io/hashicorp/local](http://registry.terraform.io/hashicorp/local)]

│   ├── module.aft_code_repositories

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   └── provider[[registry.terraform.io/hashicorp/local](http://registry.terraform.io/hashicorp/local)]

│   ├── module.aft_iam_roles

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.audit_exec_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.audit_service_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.ct_management_exec_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.ct_management_service_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.log_archive_exec_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.log_archive_service_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   ├── module.aft_exec_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   └── module.aft_service_role

│   │       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   ├── module.packaging

│   │   └── provider[[registry.terraform.io/hashicorp/archive](http://registry.terraform.io/hashicorp/archive)]

│   ├── module.aft_backend

│   │   └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   ├── module.aft_customizations

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   └── provider[[registry.terraform.io/hashicorp/local](http://registry.terraform.io/hashicorp/local)]

│   ├── module.aft_account_request_framework

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.9.0

│   │   └── provider[[registry.terraform.io/hashicorp/time](http://registry.terraform.io/hashicorp/time)]

│   ├── module.aft_feature_options

│   │   └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   ├── module.aft_ssm_parameters

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   └── provider[[registry.terraform.io/hashicorp/random](http://registry.terraform.io/hashicorp/random)]

│   ├── module.aft_lambda_layer

│   │   ├── provider[[registry.terraform.io/hashicorp/local](http://registry.terraform.io/hashicorp/local)]

│   │   ├── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.27.0

│   │   └── provider[[registry.terraform.io/hashicorp/random](http://registry.terraform.io/hashicorp/random)]

│   └── module.aft_account_provisioning_framework

│       └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.9.0

└── module.terraform_state_s3_bucket

    └── provider[[registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws)] >= 4.0.0, < 5.0.0

Bug Description After upgrading AFT from 1.9.2 to 1.10.0 and without changing its configuration the terraform plan shows differences for a DynamoDB table resource every time it's run (wants to add and delete replica alternately)

 # module.control_tower_account_factory.module.aft_backend.aws_dynamodb_table.lock-table will be updated in-place

  ~ resource "aws_dynamodb_table" "lock-table" {

        id                          = "aft-backend-<acc_id>"

        name                        = "aft-backend-<acc_id>"

        tags                        = {

            "Name" = "aft-backend-<acc_id>"

        }

        # (12 unchanged attributes hidden)

      - replica {

          - arn                    = "arn:aws:dynamodb:<region>:<acc_id>:table/aft-backend-<acc_id>" -> null

          - point_in_time_recovery = false -> null

          - propagate_tags         = false -> null

          - region_name            = "<region>" -> null

          - stream_arn             = "arn:aws:dynamodb:<region>:<acc_id>:table/aft-backend-<acc_id>/stream/2023-04-20T09:44:18.868" -> null

          - stream_label           = "2023-04-20T09:44:18.868" -> null

        }

        # (3 unchanged blocks hidden)

    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?

  Terraform will perform the actions described above.

  Only 'yes' will be accepted to approve.

  Enter a value:

To Reproduce Steps to reproduce the behavior:

  1. Deploy AFT with version 1.9.2
  2. Upgrade to 1.10.0

Expected behavior No differences in a terraform plan.

lawliet89 commented 1 year ago

Chiming in to say that I am experiencing the same issue.

First plan/apply after upgrading:

image

Second plan:

image

I am guessing this will toggle between destroy/create.

snebhu3 commented 1 year ago

@mliwak thank you for reporting the issue. We were able to reproduce this behavior in our test environment. We are working on a fix for this.

snebhu3 commented 1 year ago

AFT 1.10.1 has been released with a fix for this issue.