[Bug]: Perpetual diff for `aws_ssoadmin_permission_set_inline_policy` `inline_policy`

[YakDriver]

Originally submitted as a comment on https://github.com/hashicorp/terraform-provider-aws/issues/23288#issuecomment-1122304563 by @ad-m-ss.

Terraform Core Version

1.1.7

AWS Provider Version

4.7.0

Affected Resource(s)

• aws_ssoadmin_permission_set_inline_policy

Expected Behavior

Create and refresh without changes / updates

Actual Behavior

Objects have changed outside of Terraform

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

 resource "aws_ssoadmin_permission_set_inline_policy" "developer" {
   id                 = "arn:aws:sso:::permissionSet/ssoins-6684bd07964ad0f4/ps-f7fa08c3ff7c1943,arn:aws:sso:::instance/ssoins-6684bd07964ad0f4"
   inline_policy      = jsonencode({
   Statement = [{
     Action   = [
     "logs:StartQuery",
     "logs:FilterLogEvents",
     ]
     Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
   },
   {
     Action   = [
       "sns:List*",
       "sns:Get*",
     ]
     Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
   },
   {
      Action   = [
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "cloudwatch:Describe*",
       ]
       Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
    },
    {
      Action   = "autoscaling:Describe*"
      Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
    },
    {
       Action   = [
          "logs:TestMetricFilter",
          "logs:StopQuery",
          "logs:List*",
          "logs:Get*",
          "logs:Describe*",
        ]
         Effect   = "Allow"
         Resource = "arn:aws:logs:us-east-2:672751098944:log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
          Sid      = ""
     },
     {
         Action   = "logs:GetQueryResults"
         Effect   = "Allow"
         Resource = "arn:aws:logs:*:*:log-group::log-stream:"
         Sid      = ""
      },
   ] })
 }

Steps to Reproduce

1. terraform apply
2. terraform apply

Debug Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ssoadmin_permission_set_inline_policy.developer["1"] will be updated in-place
  ~ resource "aws_ssoadmin_permission_set_inline_policy" "developer" {
        id                 = "arn:aws:sso:::permissionSet/ssoins-6684bd07964ad0f4/ps-f7fa08c3ff7c1943,arn:aws:sso:::instance/ssoins-6684bd07964ad0f4"
      ~ inline_policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                          - "logs:StartQuery",
                          - "logs:FilterLogEvents",
                          + "redshift:ViewQueriesFromConsole",
                          + "redshift:ListTables",
                          + "redshift:ListSchemas",
                          + "redshift:ListDatabases",
                          + "redshift:GetClusterCredentials",
                          + "redshift:FetchResults",
                          + "redshift:ExecuteQuery",
                          + "redshift:DescribeTable",
                          + "redshift:DescribeQuery",
                          + "redshift:DescribeClusters",
                          + "redshift:CancelQuery",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = [
                          - "sns:List*",
                          - "sns:Get*",
                          + "redshift-data:ListTables",
                          + "redshift-data:ListSchemas",
                          + "redshift-data:ListDatabases",
                          + "redshift-data:ExecuteStatement",
                          + "redshift-data:DescribeTable",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = [
                          - "cloudwatch:List*",
                          - "cloudwatch:Get*",
                          - "cloudwatch:Describe*",
                          + "redshift-data:ListStatements",
                          + "redshift-data:GetStatementResult",
                          + "redshift-data:DescribeStatement",
                          + "redshift-data:CancelStatement",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = "autoscaling:Describe*" -> [
                          + "s3:ListMultipartUploadParts",
                          + "s3:ListBucketVersions",
                          + "s3:ListBucketMultipartUploads",
                          + "s3:ListBucket",
                          + "s3:GetReplicationConfiguration",
                          + "s3:GetObjectVersionTorrent",
                          + "s3:GetObjectVersionTagging",
                          + "s3:GetObjectVersionForReplication",
                          + "s3:GetObjectVersionAcl",
                          + "s3:GetObjectVersion",
                          + "s3:GetObjectTorrent",
                          + "s3:GetObjectTagging",
                          + "s3:GetObjectRetention",
                          + "s3:GetObjectLegalHold",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                          + "s3:GetMetricsConfiguration",
                          + "s3:GetLifecycleConfiguration",
                          + "s3:GetJobTagging",
                          + "s3:GetInventoryConfiguration",
                          + "s3:GetEncryptionConfiguration",
                          + "s3:GetBucketWebsite",
                          + "s3:GetBucketVersioning",
                          + "s3:GetBucketTagging",
                          + "s3:GetBucketRequestPayment",
                          + "s3:GetBucketPublicAccessBlock",
                          + "s3:GetBucketPolicyStatus",
                          + "s3:GetBucketPolicy",
                          + "s3:GetBucketOwnershipControls",
                          + "s3:GetBucketObjectLockConfiguration",
                          + "s3:GetBucketNotification",
                          + "s3:GetBucketLogging",
                          + "s3:GetBucketLocation",
                          + "s3:GetBucketCORS",
                          + "s3:GetBucketAcl",
                          + "s3:GetAnalyticsConfiguration",
                          + "s3:GetAccessPointPolicyStatus",
                          + "s3:GetAccessPointPolicy",
                          + "s3:GetAccelerateConfiguration",
                          + "s3:DescribeJob",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> [
                          + "arn:aws:s3:::select-star-audit-log-test/*",
                          + "arn:aws:s3:::select-star-audit-log-test",
                        ]
                        # (2 unchanged elements hidden)
                    },
                  - {
                      - Action   = [
                          - "logs:TestMetricFilter",
                          - "logs:StopQuery",
                          - "logs:List*",
                          - "logs:Get*",
                          - "logs:Describe*",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:us-east-2:672751098944:log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = "logs:GetQueryResults"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:*:*:log-group::log-stream:"
                      - Sid      = ""
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

No response

Important Factoids

No response

References

• https://github.com/hashicorp/terraform-provider-aws/issues/23288#issuecomment-1122304563 (@ad-m-ss)

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.