[Bug]: aws_dx_gateway_association_proposal showed drift randomly

[shanukk27]

Terraform Core Version

1.5.7

AWS Provider Version

5.24.0

Affected Resource(s)

aws_dx_gateway_association_proposal

Expected Behavior

Randomly, after creating the resource after 3 weeks, aws_dx_gateway_association_proposal showed a drift in the AWS account when a plan was run:

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
  # aws_dx_gateway_association_proposal.middleware_to_shared has been deleted
  - resource "aws_dx_gateway_association_proposal" "middleware_to_shared" {
      - id                                  = "<redacted>" -> null
        # (6 unchanged attributes hidden)
    }

This subsequently caused the terraform to generate a create resource:

+ resource "aws_dx_gateway_association_proposal" "middleware_to_shared" {
    + allowed_prefixes                    = [
        + "<redacted>/16",
      ]
    + associated_gateway_id               = "vgw-<redacted>"
    + associated_gateway_owner_account_id = (known after apply)
    + associated_gateway_type             = (known after apply)
    + dx_gateway_id                       = "964de4ae-<redacted>"
    + dx_gateway_owner_account_id         = "<redacted>"
    + id                                  = (known after apply)
  }

Actual Behavior

Once the gateway proposal is accepted by the source account, the dx gw association should be mapped to the proposal. Also, terraform shouldn't randomly show a drift in the aws_dx_gateway_association_proposal resource

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

cidr            = "<redacted>/16"

variable "cidr" {
  description = ""
}

locals {
  vpc_cidr     = var.cidr
  azs          = slice(data.aws_availability_zones.available.names, 0, 3)
  network_acls = var.nacl_rules
}

resource "aws_dx_gateway_association_proposal" "middleware_to_shared" {
  dx_gateway_id               = var.shared_dxgw_id
  dx_gateway_owner_account_id = var.shared_account_id
  associated_gateway_id       = module.vpc.vgw_id
  allowed_prefixes            = tolist([local.vpc_cidr])
}

Steps to Reproduce

Unknown, it happened randomly

Debug Output

In cloudtrail events, we can see:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<redacted>:GitlabRunner-<redacted>-<redacted>",
        "arn": "arn:aws:sts::<redacted>:assumed-role/<redacted>/GitlabRunner-<redacted>-<redacted>",
        "accountId": "<redacted>",
        "accessKeyId": "<redacted>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<redacted>",
                "arn": "arn:aws:iam::<redacted>:role/<redacted>",
                "accountId": "<redacted>",
                "userName": "<redacted>"
            },
            "webIdFederationData": {
                "federatedProvider": "arn:aws:iam::<redacted>:oidc-provider/gitlab.com",
                "attributes": {}
            },
            "attributes": {
                "creationDate": "2024-03-28T05:45:01Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2024-03-28T05:45:08Z",
    "eventSource": "directconnect.amazonaws.com",
    "eventName": "DescribeDirectConnectGatewayAssociationProposals",
    "awsRegion": "eu-south-2",
    "sourceIPAddress": "<redacted>",
    "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.5.7 (+https://www.terraform.io) terraform-provider-aws/5.42.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.51.4 (go1.21.8; linux; amd64)",
    "errorCode": "DirectConnectClientException",
    "errorMessage": "Direct Connect Gateway Association Proposal ID  has an invalid format.",
    "requestParameters": {
        "proposalId": ""
    },
    "responseElements": null,
    "requestID": "13f58e47-18c3-482f-bf7c-0d75b5750dfa",
    "eventID": "ba46722f-1a0f-42a4-b75c-101d02a5fa7e",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<redacted>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "directconnect.eu-south-2.amazonaws.com"
    }
}

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.