aws_ssoadmin_permission_set requires two applies

[sidekick-eimantas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_ssoadmin_permission_set

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider "aws" {
  region = "eu-west-1"
  default_tags {
    tags = {
      "iac-source" = "https://github.com/sidekickmoney/infrastructure"
    }
  }
}

data "aws_caller_identity" "current" { provider = aws.ireland }
data "aws_ssoadmin_instances" "this" { provider = aws.ireland }

resource "aws_ssoadmin_permission_set" "management_admin" {
  name             = "management-admin"
  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  relay_state      = "https://eu-west-1.console.aws.amazon.com/console/home?region=eu-west-1#"
  session_duration = "PT1H"
}

data "aws_iam_policy_document" "management_admin" {
  statement {
    effect    = "Allow"
    actions   = ["*"]
    resources = ["*"]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "management_admin" {
  inline_policy      = data.aws_iam_policy_document.management_admin.json
  instance_arn       = aws_ssoadmin_permission_set.management_admin.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.management_admin.arn
}

Debug Output

Panic Output

Expected Behavior

First apply should create tags

Actual Behavior

First apply deploys the aws_ssoadmin_permission_set but does not apply tags. A subsequent terraform apply is required to apply tags.

Terraform will perform the following actions:

  # aws_ssoadmin_permission_set.management_admin will be updated in-place
  ~ resource "aws_ssoadmin_permission_set" "management_admin" {
        id               = "arn:aws:sso:::permissionSet/ssoins-nnnnnnnnnnnn/ps-nnnnnnnnnnnn,arn:aws:sso:::instance/ssoins-nnnnnnnnnn"
        name             = "management-admin"
        tags             = {}
      ~ tags_all         = {
          + "iac-source" = "https://github.com/sidekickmoney/infrastructure"
        }
        # (5 unchanged attributes hidden)
    }

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

References

• 0000

[jSherz]

@sidekick-eimantas which provider version are you running?

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!