[Bug]: Invalid resource status for aws_config_conformance_pack

[AliAllomani]

Terraform Core Version

1.8.1

AWS Provider Version

5.46.0

Affected Resource(s)

• aws_config_conformance_pack

Expected Behavior

When conformance pack update fails due to an error, the next time I run plan I expect terraform detects that the previous apply failed and try to update the conformance pack resource again

Actual Behavior

When conformance pack update fails due to an error, the next time I run plan, terraform shows that the resource is up-to-date without changes needed

Relevant Error/Panic Output Snippet

First run,

-------
Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
aws_config_conformance_pack.this["Encryption-and-Keys-Regional"]: Modifying... [id=Encryption-and-Keys-Regional]
aws_config_conformance_pack.this["Encryption-and-Keys-Regional"]: Still modifying... [id=Encryption-and-Keys-Regional, 10s elapsed]
╷
│ Error: waiting for ConfigService Conformance Pack (Encryption-and-Keys-Regional) create: unexpected state 'CREATE_FAILED', wanted target 'CREATE_COMPLETE'. last error: Could not find SSM document AWSConfigRemediation-RestrictBucketSSLRequestsOnly with version null (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 1dd6a9de-8a7e-48e2-bcbe-95331fd3e2c2; Proxy: null)
│ 
│   with aws_config_conformance_pack.this["Encryption-and-Keys-Regional"],
│   on conformance_packs.tf line 1, in resource "aws_config_conformance_pack" "this":
│    1: resource "aws_config_conformance_pack" "this" {
│ 
---------

Second Run,

--------------
aws_config_conformance_pack.this["Encryption-and-Keys-Regional"]: Refreshing state... [id=Encryption-and-Keys-Regional]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
--------------

Terraform Configuration Files

resource "aws_config_conformance_pack" "this" {
  for_each = { for v in local.conformance_packs_filtered : v.name => v }
  name     = each.key

  # We are using terraform templating to overcome the limitations in conformace pack templating for SSM documents parameters
  template_body = templatefile("./files/conformance_packs/${each.value.source_filename}", each.value.template_vars)

  dynamic "input_parameter" {
    for_each = each.value.input_parameters
    content {
      parameter_name  = input_parameter.key
      parameter_value = input_parameter.value
    }
  }

  depends_on = [
    aws_config_configuration_recorder_status.this,
    aws_ssm_document.this
  ]
}

Steps to Reproduce

• run terraform plan and apply with some unsupported resource in the template, for example, aws managed rule or remediation rule that does not exist in a specific region and verify that resource update failed
• re-run terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.