hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.83k stars 9.17k forks source link

[Bug]: sagemaker_domain r_studio_server_pro_app_settings reports drift on every apply if disabled #35382

Open jg-ucsd opened 9 months ago

jg-ucsd commented 9 months ago

Terraform Core Version

1.4.6, 1.7.0

AWS Provider Version

5.1.0, 5.26.0

Affected Resource(s)

r_studio_server_pro_app_settings for aws_sagemaker_domain/default_user_settings, aws_sagemaker_user_profile/user_settings

Expected Behavior

When setting the r_studio_server_pro_app_settings to disabled for the resource aws_sagemaker_user_profile or the resource aws_sagemaker_domain, Terraform should not try to set the r_studio_server_pro_app_settings user_group. Running multiple applies with no code changes should not detect drift regardless.

Actual Behavior

When setting the r_studio_server_pro_app_settings to disabled for the resource aws_sagemaker_user_profile or the resource aws_sagemaker_domain, Terraform repeatedly tries to set the user_group, even without code changes. If you don't set the r_studio_server_pro_app_settings at all you get a similar behavior where TF tries to "reset" access_status = "DISABLED" to null every time Terraform is run.Running back to back plan/apply with r_studio_server_pro_app_settings access_status set to "disabled" results in a "change" detected for each user and the domain:

aws_sagemaker_domain.sagemaker_domain output:

default_user_settings {

          ~ r_studio_server_pro_app_settings {
              + user_group    = "R_STUDIO_USER"
                # (1 unchanged attribute hidden)
            }

sagemaker_domain.aws_sagemaker_user_profile.default_user output:

user_settings {

          ~ r_studio_server_pro_app_settings {
              + user_group    = "R_STUDIO_USER"
                # (1 unchanged attribute hidden)
            }

Not setting the r_studio_server_pro_app_settings at all results in multiple applies detect drift as well: aws_sagemaker_domain.sagemaker_domain output:

 default_user_settings {
            # (2 unchanged attributes hidden)

          - r_studio_server_pro_app_settings {
              - access_status = "DISABLED" -> null
            }

sagemaker_domain.aws_sagemaker_user_profile.default_user output:

 user_settings {
          - r_studio_server_pro_app_settings {
              - access_status = "DISABLED" -> null
            }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_sagemaker_domain" "sagemaker_domain" {
  domain_name = var.domain_name
  auth_mode   = var.auth_mode
  vpc_id      = var.vpc_id
  subnet_ids  = var.subnet_ids

  default_user_settings {
    execution_role  = module.sagemaker_execution_roles.default_user_execution_role
    security_groups = [aws_security_group.sagemaker_sg.id]
    r_studio_server_pro_app_settings {
      access_status = "DISABLED"
    }

    jupyter_server_app_settings {
      default_resource_spec {
        sagemaker_image_arn = var.sagemaker_image_arn
        instance_type       = "system"
      }
    }
  }

  domain_settings {
    security_group_ids = [aws_security_group.sagemaker_sg.id]
  }

  kms_key_id              = module.efs_kms.kms_arn
  app_network_access_type = var.app_network_access_type

  retention_policy {
    home_efs_file_system = var.efs_retention_policy
  }
}

resource "aws_sagemaker_user_profile" "default_user" {
  for_each          = toset(var.user_profiles)
  domain_id         = aws_sagemaker_domain.sagemaker_domain.id
  user_profile_name = each.value

  user_settings {
    execution_role  = module.sagemaker_execution_roles.default_user_execution_role
    security_groups = [aws_security_group.sagemaker_sg.id]

    jupyter_server_app_settings {
      default_resource_spec {
        sagemaker_image_arn = var.sagemaker_image_arn
        instance_type       = "system"
      }
    }
    r_studio_server_pro_app_settings {
      access_status = "DISABLED"
    }
  }
}

Steps to Reproduce

Run terraform plan, Terraform detects wanting to change the r_studio_server_pro_app_settings attribute user_group to "R_STUDIO_USER" even though the access_status is set to "DISABLED". Letting Terraform apply the "changes" then running apply again after no code changes ends in same result, Terraform detects a change to the r_studio_server_pro_app_settings attribute user_group to "R_STUDIO_USER".

Debug Output

No response

Panic Output

No response

Important Factoids

Updated to latest Terraform (1.7) and AWS provider (5.26) with same results.

References

https://github.com/hashicorp/terraform-provider-aws/issues/33034

Would you like to implement a fix?

None

github-actions[bot] commented 9 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue