[Bug]: Terraform should ignore 'aws:' prefixed tags as they are reserved and cannot be updated or deleted

[MikShma]

Terraform Core Version

v1.6.4

AWS Provider Version

v5.5.0

Affected Resource(s)

aws_codebuild_project

Expected Behavior

terraform should ignore aws: system tags for "aws_codebuild_project" resources. The issue has been resolved for some resources in https://github.com/hashicorp/terraform/pull/7454

Actual Behavior

│ Error: updating CodeBuild project (codebuild-name): InvalidInputException: Caller is an end user and not allowed to mutate system tags. │ │ with aws_codebuild_project.codebuild_name, │ on aws-cicd.tf line 168, in resource "aws_codebuild_project" "codebuild_name": │ 168: resource "aws_codebuild_project" "codebuild_name" {

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

import { to = aws_codebuild_project.codebuild_name id = "codebuild-name" } resource "aws_codebuild_project" "codebuild_name" { .... }

Steps to Reproduce

1. import "aws_codebuild_project" resource that was created by CloudFormation with AWS system tags, e.g. aws:cloudformation:stack-name'
2. update "aws_codebuild_project" terraform resource code, e.g. change "artifacts location"
3. terraform apply

Debug Output

2024-02-13T12:11:28.323+0100 [TRACE] GRPCProvider: GetProviderSchema 2024-02-13T12:11:28.323+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for aws_codebuild_project.codebuild_name 2024-02-13T12:11:28.324+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for aws_codebuild_project.codebuild_name 2024-02-13T12:11:28.325+0100 [TRACE] evalApplyProvisioners: aws_codebuild_project.codebuild_name is not freshly-created, so no provisioning is required 2024-02-13T12:11:28.325+0100 [TRACE] GRPCProvider: GetProviderSchema 2024-02-13T12:11:28.325+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for aws_codebuild_project.codebuild_name 2024-02-13T12:11:28.325+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for aws_codebuild_project.codebuild_name 2024-02-13T12:11:28.329+0100 [DEBUG] State storage *remote.State declined to persist a state snapshot 2024-02-13T12:11:28.330+0100 [ERROR] vertex "aws_codebuild_project.codebuild_name" error: updating CodeBuild project (codebuild-name): InvalidInputException: Caller is an end user and not allowed to mutate system tags. 2024-02-13T12:11:28.330+0100 [TRACE] vertex "aws_codebuild_project.codebuild_name": visit complete, with errors 2024-02-13T12:11:28.330+0100 [DEBUG] provider.terraform-provider-aws_v5.5.0_x5: HTTP Response Received: @module=aws aws.operation=UpdateProject aws.sdk=aws-sdk-go http.response.body= | {"__type":"Inva***tion","message":"Caller is an end user and not allowed to mutate system tags."} http.response.header.x_amzn_requestid=1d77924f-*3ca61 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_mux_provider="schema.GRPCProviderServer" aws.service=CodeBuild http.response.header.date="Tue, 13 Feb 2024 11:11:17 GMT" tf_req_id=3544216*966 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.31/logger.go:144 aws.region=us-east-1 http.duration=10705 http.response.header.content_type=application/x-amz-json-1.1 http.response_content_length=107 http.status_code=400 tf_resource_type=aws_codebuild_project tf_rpc=ApplyResourceChange timestamp="2024-02-13T12:11:28.330+0100" 2024-02-13T12:11:28.331+0100 [TRACE] provider.terraform-provider-aws_v5.5.0_x5: Called downstream: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=3544*7966 @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/resource.go:848 @module=sdk.helper_schema tf_mux_provider="*schema.GRPCProviderServer" tf_resource_type=aws_codebuild_project tf_rpc=ApplyResourceChange timestamp="2024-02-13T12:11:28.330+0100" 2024-02-13T12:11:28.331+0100 [TRACE] provider.terraform-provider-aws_v5.5.0_x5: Received downstream response: diagnostic_warning_count=0 tf_proto_version=5.3 @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 tf_req_duration_ms=10710 tf_resource_type=aws_codebuild_project diagnostic_error_count=1 tf_rpc=ApplyResourceChange tf_provider_addr=registry.terraform.io/hashicorp/aws @module=sdk.proto tf_req_id=3544266 timestamp="2024-02-13T12:11:28.331+0100" 2024-02-13T12:11:28.332+0100 [ERROR] provider.terraform-provider-aws_v5.5.0_x5: Response contains error diagnostic: tf_req_id=3544237966 tf_rpc=ApplyResourceChange diagnostic_detail="" diagnostic_severity=ERROR tf_resource_type=aws_codebuild_project @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_summary="updating CodeBuild project (codebuild-name): InvalidInputException: Caller is an end user and not allowed to mutate system tags." tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2024-02-13T12:11:28.331+0100"

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[steven-harrison]

I've been bumping into this also, and I've come to the conclusion that this particular bug may not be a bug in the Terraform AWS Provider, but a bug in the AWS API itself.

I believe that the Codebuild resources that are provisioned by Cloudformation do get the system level (i.e. aws:*) tags, but these system-level tags are not exposed to the Terraform Provider through the AWS SDK when trying to retrieve all the tags on the Project.

As the tag map needs to be completely replaced when updating a Codebuild Project, AWS complains that the Terraform provider is trying to remove the system level tags that Terraform didn't know about in the first place.

This likely only happens in the edge case when someone is trying to import a Codebuild Project that was initially provisioned by Cloudformation.