[Bug]: Constant drift with empty tags for framework resources

[kkopachev]

Terraform Core Version

1.8.5

AWS Provider Version

5.56.0

Affected Resource(s)

• aws_networkmonitor_monitor
• aws_eks_pod_identity_association

possibly other resources with tags/tags_all and using framework resource

Expected Behavior

No changes. Your infrastructure matches the configuration.

Actual Behavior

tags are marked for update on every apply:

Terraform will perform the following actions:

  # aws_networkmonitor_monitor.example will be updated in-place
  ~ resource "aws_networkmonitor_monitor" "example" {
        id                 = "example"
      + tags               = {}
        # (4 unchanged attributes hidden)
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"

  default_tags {
    tags = {
      env                 = "staging"
      project             = "staging"
    }
  }
}

terraform {
  backend "local" {
    path = "state.json"
  }
}

resource "aws_networkmonitor_monitor" "example" {
  aggregation_period = 30
  monitor_name       = "example"

  tags = {}
}

Steps to Reproduce

1. run terraform apply to get resource created for the first time
2. run terraform plan to see the issue:

   # aws_networkmonitor_monitor.example will be updated in-place
   ~ resource "aws_networkmonitor_monitor" "example" {
       id                 = "example"
     + tags               = {}
       # (4 unchanged attributes hidden)
   }

Debug Output

2024-06-27T23:37:16.663-0700 [INFO]  Terraform version: 1.8.5
2024-06-27T23:37:16.663-0700 [INFO]  Go runtime version: go1.22.1
2024-06-27T23:37:16.663-0700 [INFO]  CLI args: []string{"terraform", "plan"}
2024-06-27T23:37:16.663-0700 [INFO]  Loading CLI configuration from /home/kkopachev/.terraformrc
2024-06-27T23:37:16.664-0700 [INFO]  CLI command args: []string{"plan"}
2024-06-27T23:37:17.064-0700 [INFO]  backend/local: starting Plan operation
2024-06-27T23:37:17.065-0700 [INFO]  provider: configuring client automatic mTLS
2024-06-27T23:37:17.337-0700 [INFO]  provider.terraform-provider-aws_v5.56.0_x5: configuring server automatic mTLS: timestamp=2024-06-27T23:37:17.337-0700
2024-06-27T23:37:18.531-0700 [INFO]  provider: configuring client automatic mTLS
2024-06-27T23:37:18.779-0700 [INFO]  provider.terraform-provider-aws_v5.56.0_x5: configuring server automatic mTLS: timestamp=2024-06-27T23:37:18.779-0700
2024-06-27T23:37:19.032-0700 [INFO]  backend/local: plan calling Plan
2024-06-27T23:37:19.033-0700 [INFO]  provider: configuring client automatic mTLS
2024-06-27T23:37:19.298-0700 [INFO]  provider.terraform-provider-aws_v5.56.0_x5: configuring server automatic mTLS: timestamp=2024-06-27T23:37:19.297-0700
2024-06-27T23:37:19.453-0700 [INFO]  provider.terraform-provider-aws_v5.56.0_x5: Retrieved credentials: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:39 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_aws.credentials_source=EnvConfigCredentials tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=1b2c0e6a-1aa1-b03f-f19f-bff325a1f1c2 tf_rpc=ConfigureProvider @module=aws.aws-base timestamp=2024-06-27T23:37:19.453-0700
2024-06-27T23:37:19.786-0700 [INFO]  provider.terraform-provider-aws_v5.56.0_x5: Retrieved caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:39 tf_mux_provider="*schema.GRPCProviderServer" @module=aws.aws-base tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=1b2c0e6a-1aa1-b03f-f19f-bff325a1f1c2 tf_rpc=ConfigureProvider timestamp=2024-06-27T23:37:19.786-0700
aws_networkmonitor_monitor.example: Refreshing state... [id=example]
2024-06-27T23:37:20.205-0700 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an unexpected new value for aws_networkmonitor_monitor.example during refresh.
      - .tags: was cty.MapValEmpty(cty.String), but now null
2024-06-27T23:37:20.251-0700 [INFO]  backend/local: plan operation completed

notice second to last line

Panic Output

No response

Important Factoids

No response

References

• Same bug reported previously

• I've traced the issue down to this line. I think it is incorrect to assume tags should be null map. Possibly stateTags value should also be read from current state. My suggestion is to add on line 520

  response.State.GetAttribute(ctx, path.Root(names.AttrTags), &stateTags)

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.