[Bug]: aws_config_configuration_recorder fails to remove exclusion

Terraform Core Version

1.9.4

AWS Provider Version

5.62.0

Affected Resource(s)

aws_config_configuration_recorder

Expected Behavior

When a config recorder has been created with an exclusion_by_resource_types exclusion enabled it should be possible to remove the exclusions.

Actual Behavior

Modifying the existing recorder fails with an InvalidRecordingGroupException

Relevant Error/Panic Output Snippet

Error: putting ConfigService Configuration Recorder (recorder): operation error Config Service: PutConfigurationRecorder, https response error StatusCode: 400, RequestID: 343d6b46-1754-4798-9476-426daec08bf2, InvalidRecordingGroupException: The recording group provided is not valid

Terraform Configuration Files

data "aws_iam_role" "this" {
  name = "AWSConfig"
}

resource "aws_config_configuration_recorder" "this" {
  name     = "recorder"
  role_arn = data.aws_iam_role.this.arn

  recording_group {
    all_supported = false
    exclusion_by_resource_types {
      resource_types = ["AWS::EC2::EC2Fleet"]
    }
    recording_strategy {
      use_only = "EXCLUSION_BY_RESOURCE_TYPES"
    }
  }
}

Steps to Reproduce

Create a config recorder with an exclusion

Modify the config recorder to include all types:

resource "aws_config_configuration_recorder" "this" {
name     = "recorder"
role_arn = data.aws_iam_role.this.arn

recording_group {
all_supported                 = true
include_global_resource_types = true
}
}

Run terraform apply The following changes are shown:


Terraform will perform the following actions:

# aws_config_configuration_recorder.this will be updated in-place
~ resource "aws_config_configuration_recorder" "this" {
    id       = "recorder"
    name     = "recorder"
    # (1 unchanged attribute hidden)

  ~ recording_group {
      ~ all_supported                 = false -> true
      ~ include_global_resource_types = false -> true
        # (1 unchanged attribute hidden)

        # (2 unchanged blocks hidden)
    }

    # (1 unchanged block hidden)
}

Plan: 0 to add, 1 to change, 0 to destroy.

4. The request fails:
```shell
aws_config_configuration_recorder.this: Modifying... [id=recorder]
╷
│ Error: putting ConfigService Configuration Recorder (recorder): operation error Config Service: PutConfigurationRecorder, https response error StatusCode: 400, RequestID: b2f68142-e45b-46f7-be84-9f5bea414c4e, InvalidRecordingGroupException: The recording group provided is not valid
│ 
│   with aws_config_configuration_recorder.this,
│   on main.tf line 114, in resource "aws_config_configuration_recorder" "this":
│  114: resource "aws_config_configuration_recorder" "this" {
│ 
╵

Do note that in step 3 there are 2 unchanged blocks. This is the state of the resource before the change:

terraform state show aws_config_configuration_recorder.this
# aws_config_configuration_recorder.this:
resource "aws_config_configuration_recorder" "this" {
    id       = "recorder"
    name     = "recorder"
    role_arn = "arn:aws:iam::511330993215:role/AWSConfig"

    recording_group {
        all_supported                 = false
        include_global_resource_types = false
        resource_types                = []

        exclusion_by_resource_types {
            resource_types = [
                "AWS::EC2::EC2Fleet",
            ]
        }

        recording_strategy {
            use_only = "EXCLUSION_BY_RESOURCE_TYPES"
        }
    }

    recording_mode {
        recording_frequency = "CONTINUOUS"
    }
}

So it seems like the exclusion_by_resource_types and recording_strategy blocks don't get cleaned-up when removing them from the Terraform config. Explicitly setting them to empty does show them in the diff, but the request still fails. Resource definition:

resource "aws_config_configuration_recorder" "this" {
  name     = "recorder"
  role_arn = data.aws_iam_role.this.arn

  recording_group {
    all_supported = true
    include_global_resource_types = true
    exclusion_by_resource_types {

    }
    recording_strategy {

    }
  }
}

Output:

Terraform will perform the following actions:

  # aws_config_configuration_recorder.this will be updated in-place
  ~ resource "aws_config_configuration_recorder" "this" {
        id       = "recorder"
        name     = "recorder"
        # (1 unchanged attribute hidden)

      ~ recording_group {
          ~ all_supported                 = false -> true
          ~ include_global_resource_types = false -> true
            # (1 unchanged attribute hidden)

          ~ exclusion_by_resource_types {
              ~ resource_types = [
                  - "AWS::EC2::EC2Fleet",
                ]
            }

          ~ recording_strategy {
              - use_only = "EXCLUSION_BY_RESOURCE_TYPES" -> null
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions in workspace "id853249-2c949b-splaas"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_config_configuration_recorder.this: Modifying... [id=recorder]
╷
│ Error: putting ConfigService Configuration Recorder (recorder): operation error Config Service: PutConfigurationRecorder, https response error StatusCode: 400, RequestID: 91d3286d-d25e-4a38-9b0d-f1a3bb607e6a, InvalidRecordingGroupException: The recording group provided is not valid
│ 
│   with aws_config_configuration_recorder.this,
│   on main.tf line 124, in resource "aws_config_configuration_recorder" "this":
│  124: resource "aws_config_configuration_recorder" "this" {
│

Debug Output

tf.log

Panic Output

No response

Important Factoids

No response

References

No response

hashicorp / terraform-provider-aws