[Bug]: AWS-side changes to CodeBuild project causes `secondary_sources` block diffs with `aws_codebuild_project`

[acwwat]

Terraform Core Version

1.7.5

AWS Provider Version

1.46.0

Affected Resource(s)

aws_codebuild_project

Expected Behavior

While working on and validating a fix for #36987, many acceptance tests failed due to some unexpected differences, one of which is related to attributes in the secondary_sources config block. See error message below. It seems that after a reason update (most likely on server side), the provider started reporting differences with the configuration block for attributes including git_clone_depth, insecure_ssl, and report_build_status. The diff also seems to be replacing the blocks instead of updating them with the attributes, maybe it's another point of interest. Since one of the attributes are report_build_status, I wonder if it's related to #37051 as well. On quick glance I didn't see any recent code changes to the resource code that'd have caused this. I would have fixed this myself (like set default values in the resource schema) but I am not sure what the best approach would be. Thus I'd like someone more experienced to assist with this fix.

Acceptance tests should not fail or generate diff.

Actual Behavior

Many acceptance test cases failed.

Relevant Error/Panic Output Snippet

=== NAME  TestAccCodeBuildProject_SecondarySources_codeCommit
    project_test.go:2785: Step 1/1 error: After applying this test step, the non-refresh plan was not empty.
        stdout:

        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place

        Terraform will perform the following actions:

          # aws_codebuild_project.test will be updated in-place
          ~ resource "aws_codebuild_project" "test" {
                id                     = "arn:aws:codebuild:us-west-2:100180206982:project/tf-acc-test-6354767302756690707"
                name                   = "tf-acc-test-6354767302756690707"
                # (9 unchanged attributes hidden)

              ~ environment {
                    # (5 unchanged attributes hidden)

                  - environment_variable {
                      - name  = "CODEBUILD_CONFIG_AUTO_DISCOVER" -> null
                      - type  = "PLAINTEXT" -> null
                      - value = "true" -> null
                    }
                }

              - secondary_sources {
                  - location          = "https://git-codecommit.region-id.amazonaws.com/v1/repos/second-repo-name" -> null
                  - source_identifier = "secondarySource1" -> null
                  - type              = "CODECOMMIT" -> null
                }
              - secondary_sources {
                  - location          = "https://git-codecommit.region-id.amazonaws.com/v1/repos/third-repo-name" -> null
                  - source_identifier = "secondarySource2" -> null
                  - type              = "CODECOMMIT" -> null
                }
              + secondary_sources {
                  + git_clone_depth     = 0
                  + insecure_ssl        = false
                  + location            = "https://git-codecommit.region-id.amazonaws.com/v1/repos/second-repo-name"
                  + report_build_status = false
                  + source_identifier   = "secondarySource1"
                  + type                = "CODECOMMIT"
                }
              + secondary_sources {
                  + git_clone_depth     = 0
                  + insecure_ssl        = false
                  + location            = "https://git-codecommit.region-id.amazonaws.com/v1/repos/third-repo-name"
                  + report_build_status = false
                  + source_identifier   = "secondarySource2"
                  + type                = "CODECOMMIT"
                }

                # (4 unchanged blocks hidden)
            }

        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccCodeBuildProject_SourceGitSubmodules_codeCommit (32.21s)

Terraform Configuration Files

resource "aws_codebuild_project" "test" {
  name         =  "my-test-5z59h5slrc"
  service_role = aws_iam_role.test.arn

  artifacts {
    type = "NO_ARTIFACTS"
  }

  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "2"
    type         = "LINUX_CONTAINER"
  }

  source {
    location = "https://git-codecommit.region-id.amazonaws.com/v1/repos/repo-name"
    type     = "CODECOMMIT"
  }

  secondary_sources {
    location          = "https://git-codecommit.region-id.amazonaws.com/v1/repos/second-repo-name"
    type              = "CODECOMMIT"
    source_identifier = "secondarySource1"
  }

  secondary_sources {
    location          = "https://git-codecommit.region-id.amazonaws.com/v1/repos/third-repo-name"
    type              = "CODECOMMIT"
    source_identifier = "secondarySource2"
  }
}

resource "aws_iam_role" "test" {
  name = "my-test-5z59h5slrc"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "codebuild.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }]
}
EOF
}

resource "aws_iam_role_policy" "test" {
  name = "my-test-5z59h5slrc"
  role = aws_iam_role.test.name

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketAcl",
        "s3:PutBucketAcl",
        "s3:GetBucketLocation"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "codebuild:CreateReportGroup",
        "codebuild:CreateReport",
        "codebuild:UpdateReport",
        "codebuild:BatchPutTestCases",
        "codebuild:BatchPutCodeCoverages"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:DescribeDhcpOptions",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcs"
      ]
    }
  ]
}
POLICY
}

Steps to Reproduce

Simply run acceptance tests for CodeBuild the codebuild package, for example:

make testacc PKG=codebuild TESTS=TestAccCodeBuildProject_SecondarySources_codeCommit

Alternatively, extract one of the test cases, such as the configuration above, and apply it once to create the resource, then apply it again to see the unexpected update.

Debug Output

n/a

Panic Output

n/a

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.