[Bug]: `aws_guardduty_detector_feature` `additional_configuration` blocks must be in a particular order, else they force replacement on every run

[eide]

Terraform Core Version

1.7.5

AWS Provider Version

5.41.0

Affected Resource(s)

• aws_guardduty_detector_feature

Expected Behavior

"No changes. Your infrastructure matches the configuration."

Actual Behavior

Terraform wants to do the following state changes every time:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_guardduty_detector_feature.runtime_monitoring must be replaced
-/+ resource "aws_guardduty_detector_feature" "runtime_monitoring" {
      ~ id          = "<redacted>/RUNTIME_MONITORING" -> (known after apply)
        name        = "RUNTIME_MONITORING"
        # (2 unchanged attributes hidden)

      ~ additional_configuration {
          ~ name   = "EKS_ADDON_MANAGEMENT" -> "ECS_FARGATE_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
      ~ additional_configuration {
          ~ name   = "ECS_FARGATE_AGENT_MANAGEMENT" -> "EKS_ADDON_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_guardduty_detector" "this" {
  enable = true
}

resource "aws_guardduty_detector_feature" "this" {
  for_each = toset([
    "S3_DATA_EVENTS",
    "EKS_AUDIT_LOGS",
    "EBS_MALWARE_PROTECTION",
    "RDS_LOGIN_EVENTS",
    "LAMBDA_NETWORK_LOGS"
  ])

  detector_id = aws_guardduty_detector.this.id
  name        = each.value
  status      = "ENABLED"
}

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.this.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }
}

Steps to Reproduce

In a AWS account with GuardDuty disabled, run terraform apply to apply the changes. Then re-run terraform apply. Every invocation will see state changes.

Debug Output

No response

Panic Output

No response

Important Factoids

Re-ordering the additional_configuration blocks makes the state happy:

resource "aws_guardduty_detector_feature" "runtime_monitoring" {
  detector_id = aws_guardduty_detector.this.id
  name        = "RUNTIME_MONITORING"
  status      = "ENABLED"

  additional_configuration {
    name   = "EKS_ADDON_MANAGEMENT"
    status = "ENABLED"
  }

  additional_configuration {
    name   = "ECS_FARGATE_AGENT_MANAGEMENT"
    status = "ENABLED"
  }
}

This configuration, ordered "EKS_ADDON_MANAGEMENT" first and then "ECS_FARGATE_AGENT_MANAGEMENT", will be stable and say "No changes. Your infrastructure matches the configuration." on subsequent runs of terraform apply

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[connorhsm]

This is likely to also be an issue for the similar resource aws_guardduty_organization_configuration_feature.

[joelmccoy]

I would like to take a stab at fixing this.