[Bug]: DynamoDB: removing server_side_encryption with enabled=true results in empty plan

[isaac-s]

Terraform Core Version

1.3.7

AWS Provider Version

4.57.0

Affected Resource(s)

• aws_dynamodb_table

Expected Behavior

Terraform should yield a plan to remove the server_side_encryption definition, resulting (after application) in encryption "Managed by DynamoDB"

Actual Behavior

Empty plan. Terraform doesn't prompt to change anything in the table.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_dynamodb_table" "my_table" {
  name           = "my-table"
  billing_mode   = "PROVISIONED"
  hash_key       = "Id"

  attribute {
    name = "Id"
    type = "S"
  }

  server_side_encryption {
    enabled = true
  }
}

Steps to Reproduce

Apply the configuration above. This will result in a table created with encryption managed by KMS. Then, remove the server_side_encryption block, and run terraform plan. You'd expect Terraform to detect this as a change, but it doesn't.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[fergoid]

I got the same behaviour with the 'point_in_time_recovery' attribute in provider version 4.63.0. When I changed one of the core attributes the server_side_encryption change was detected.

[ethanmills]

The same also applies to kms_key_arn. This means it's impossible to toggle between Amazon managed key and CMK based on a variable, something like kms_key_arn = var.enabled ? key_arn : null.

I have also tried kms_key_arn = var.enabled ? key_arn : data.aws_kms_alias.dynamo_aws_managed.target_key_arn, but this doesn't work because attempting to set the key ARN explicitly to the value it already is implicitly fails.