[Bug]: Empty jupyter_lab_image_config block in aws_sagemaker_app_image_config not persisted

[minamijoyo]

Terraform Core Version

1.8.4

AWS Provider Version

5.51.1

Affected Resource(s)

• aws_sagemaker_app_image_config

Expected Behavior

The empty jupyter_lab_image_config block is meaningful and should be persisted.

Actual Behavior

The empty jupyter_lab_image_config block is not persisted. Note that terraform apply succeeds, but an InternalFailure error occurs when JupyterLab starts. In addition, a plan diff still remains after apply and never converge.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_version = "1.8.4"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.51.1"
    }
  }
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_sagemaker_app_image_config" "foo" {
  app_image_config_name = "foo"

  jupyter_lab_image_config {}
}

Steps to Reproduce

1. terraform apply
2. terraform plan

You can see that the plan diff is still there after apply.

  # aws_sagemaker_app_image_config.foo will be updated in-place
  ~ resource "aws_sagemaker_app_image_config" "foo" {
        id                    = "foo"
        tags                  = {}
        # (3 unchanged attributes hidden)

      + jupyter_lab_image_config {
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The resource doesn't contain the “JupyterLabAppImageConfig”:{} parameter.

$ aws sagemaker list-app-image-configs --name-contains foo
{
    "AppImageConfigs": [
        {
            "AppImageConfigArn": "arn:aws:sagemaker:us-east-1:xxxx:app-image-config/foo",
            "AppImageConfigName": "foo",
            "CreationTime": "2024-05-30T10:47:47.054000+09:00",
            "LastModifiedTime": "2024-05-30T10:47:47.057000+09:00"
        }
    ]
}

Debug Output

I checked the trace log and the API request for UpdateAppImageConfig did not contain the “JupyterLabAppImageConfig”:{} parameter.

2024-05-30T10:53:12.742+0900 [DEBUG] provider.terraform-provider-aws_v5.51.1_x5: HTTP Request Sent: net.peer.name=api.sagemaker.us-east-1.amazonaws.com aws.region=us-east-1 rpc.method=UpdateAppImageConfig tf_aws.sdk=aws-sdk-go tf_resource_type=aws_sagemaker_app_image_config http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************R374/20240530/us-east-1/sagemaker/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" http.request.header.x_amz_date=20240530T015312Z tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=4c08a435-a553-ae85-5966-2275c733a30c http.url=https://api.sagemaker.us-east-1.amazonaws.com/ @module=aws tf_mux_provider="*schema.GRPCProviderServer" tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.54/logger.go:109 http.method=POST rpc.service=SageMaker http.flavor=1.1
  http.request.body=
  | {"AppImageConfigName":"foo"}
   http.request.header.x_amz_security_token="*****" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.8.4 (+https://www.terraform.io/) terraform-provider-aws/5.51.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.53.8 (go1.22.2; darwin; arm64)" http.request.header.content_type=application/x-amz-json-1.1 http.request.header.x_amz_target=SageMaker.UpdateAppImageConfig http.request_content_length=28 rpc.system=aws-api timestamp="2024-05-30T10:53:12.742+0900"

Panic Output

No response

Important Factoids

As already mentioned in https://github.com/hashicorp/terraform-provider-aws/issues/36828#issuecomment-2051395207, it is possible to persist the jupyter_lab_image_config by including an empty container_config block.

resource "aws_sagemaker_app_image_config" "foo" {
  app_image_config_name = "foo"

  jupyter_lab_image_config {
    container_config {}
  }
}

However, this doesn't persist the empty container_config and results in a plan diff after apply.

  # aws_sagemaker_app_image_config.foo will be updated in-place
  ~ resource "aws_sagemaker_app_image_config" "foo" {
        id                    = "foo"
        tags                  = {}
        # (3 unchanged attributes hidden)

      ~ jupyter_lab_image_config {
          + container_config {}
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

A temporary workaround is to specify ignore_changes to container_config.

resource "aws_sagemaker_app_image_config" "foo" {
  app_image_config_name = "foo"

  jupyter_lab_image_config {
    container_config {}
  }

  lifecycle {
    ignore_changes = [
      jupyter_lab_image_config[0].container_config,
    ]
  }
}

References

https://github.com/hashicorp/terraform-provider-aws/issues/36828

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.