[Bug]: terraform plan shows change in `sagemaker_image_arn`

[apwrk]

Terraform Core Version

1.5.0

AWS Provider Version

5.48.0

Affected Resource(s)

#Top level resource
resource "aws_sagemaker_domain" "domain" {
  domain_name                   = var.domain_name
  auth_mode                     = "IAM"
  vpc_id                        = var.vpc_id
  subnet_ids                    = var.private_subnets
  kms_key_id                    = var.s3_kms_key_id
  app_network_access_type       = "VpcOnly"
  app_security_group_management = "Customer"
  default_user_settings {
    execution_role  = aws_iam_role.domain_execution_role.arn
    security_groups = [aws_security_group.sagemaker-interactive.id, var.vpc_endpoint_security_group]
    jupyter_server_app_settings {
      default_resource_spec {
        lifecycle_config_arn = var.auto_shutdown_arn
        sagemaker_image_arn  = "arn:aws:sagemaker:eu-west-1:470317259841:image/jupyter-server-3"
        instance_type        = "system"
      }
      lifecycle_config_arns = [var.auto_shutdown_arn,
      var.disable_download_button_arn]
    }
  }
  domain_settings {
    execution_role_identity_config = "USER_PROFILE_NAME"
    security_group_ids             = [aws_security_group.sagemaker-interactive.id, var.vpc_endpoint_security_group]
  }
  retention_policy {
    home_efs_file_system = var.efs_retention_policy
  }
}

Expected Behavior

Once the resource is created subsequent plans should not show a change in the resource

Actual Behavior

Every plan after the resource creation shows

! resource "aws_sagemaker_app" "jupyter_gateway_ds" {
        id                = "arn:aws:sagemaker:eu-west-1:xxxxxxx:app/d-xxxxxx/xxxxxxxxxx/jupyterserver/default"
        tags              = {}
        # (6 unchanged attributes hidden)

!       resource_spec {
!           sagemaker_image_arn  = "arn:aws:ecr:eu-west-1:470317259841:repository/looseleaf-jupyter-server-3" -> "arn:aws:sagemaker:eu-west-1:470317259841:image/jupyter-server-3"
            # (2 unchanged attributes hidden)
        }
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

#Top level resource
resource "aws_sagemaker_domain" "domain" {
  domain_name                   = var.domain_name
  auth_mode                     = "IAM"
  vpc_id                        = var.vpc_id
  subnet_ids                    = var.private_subnets
  kms_key_id                    = var.s3_kms_key_id
  app_network_access_type       = "VpcOnly"
  app_security_group_management = "Customer"
  default_user_settings {
    execution_role  = aws_iam_role.domain_execution_role.arn
    security_groups = [aws_security_group.sagemaker-interactive.id, var.vpc_endpoint_security_group]
    jupyter_server_app_settings {
      default_resource_spec {
        lifecycle_config_arn = var.auto_shutdown_arn
        sagemaker_image_arn  = "arn:aws:sagemaker:eu-west-1:470317259841:image/jupyter-server-3"
        instance_type        = "system"
      }
      lifecycle_config_arns = [var.auto_shutdown_arn,
      var.disable_download_button_arn]
    }
  }
  domain_settings {
    execution_role_identity_config = "USER_PROFILE_NAME"
    security_group_ids             = [aws_security_group.sagemaker-interactive.id, var.vpc_endpoint_security_group]
  }
  retention_policy {
    home_efs_file_system = var.efs_retention_policy
  }
}

Steps to Reproduce

create resource using terraform apply

then do terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[deepakbshetty]

Hi @DrFaust92, Need your view here.

There is Computed: true at both default_resource_spec and sagemaker_image_arn. Potentially the sagemaker_image_arn one can be removed and is causing the drift ? https://github.com/hashicorp/terraform-provider-aws/blob/d5a0a582ad9309f5e1006a64de24627a49f60f5d/internal/service/sagemaker/app.go#L86