Closed mpzfm1 closed 2 weeks ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @mpzfm1 👋 Thank you for taking the time to raise this! This particular behavior is controlled by Terraform Core, and in this case, is what I would expect based on the information in Data Resource Behavior.
The aws_iam_policy_document
data source has an implied dependency on the random_password
resource by way of interpolation here:
values = condition.value.variable == "sts:ExternalId" ? [random_password.policyDocument[each.key].result] : condition.value.variable.values
The random_password
resource's result
attribute isn't known until apply time, so as mentioned in the data resource behavior document linked above, when there are changes, the read of the aws_iam_policy_document
data source will be deferred until apply time. This results in the behavior that you're experiencing here. In order to get around this, you'll need to adjust the configuration (exactly how will depend on other factors within the configuration). Since there's no action to be taken by the provider team, I'm going to close this issue. If you encounter unexpected behavior in the future, please do let us know 🙂
[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.
Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.
Description
Terraform Version: 1.8.5 AWS Provider Version: 5.62.0
The resources are:
The variable is a objetcs map like:
If we add more keys to the variable with the attribute external_id: false, there are no issues.
The problem arises when we add new keys with external_id: true. This triggers the creation of a random_password specifically for that key (which is expected), but it also reprocesses all the policy documents for all keys, regardless of whether external_id is true or false, and without any actual changes. As a result, it redeploys the policy documents (unchanged) to the role's policy.
If I include a simple string within the dynamic condition block, such as:
where "hello" is not referencing any other resource, there are no issues. Therefore, the problem seems to occur when random_password is generated, even if it's only for a new key with external_id: true.
thanks
References
No response
Would you like to implement a fix?
None