search

hashicorp / terraform-provider-awscc

Terraform AWS Cloud Control provider
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs
Mozilla Public License 2.0
248 stars 113 forks source link

When the tags in awscc_chatbot_slack_channel_configuration are not set,apply does not finish. #1841

Open 012xx opened 2 months ago

012xx commented 2 months ago

Community Note

Terraform CLI and Terraform AWS Cloud Control Provider Version

terraform: 1.8.5 awscc: 1.1.0

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

data "aws_iam_role" "aws_chatbot_role" {
  name = "AWSChatbotRole"
}

resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
  configuration_name = "alert-runners"
  iam_role_arn       = data.aws_iam_role.aws_chatbot_role.arn
  slack_workspace_id = "***"   
  slack_channel_id   = "***" 

  sns_topic_arns = [for org in module.runner-pool : org.lambda_error_alert_sns_topic_arn]
}

Debug Output

Panic Output

Expected Behavior

terraform apply is completed

Actual Behavior

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_chatbot_slack_channel_configuration.alert_runners will be updated in-place
  ~ resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
        id                 = "arn:aws:chatbot::***:chat-configuration/slack-channel/alert-runners"
      + tags               = (known after apply)
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

awscc_chatbot_slack_channel_configuration.alert_runners: Modifying... [id=arn:aws:chatbot::***:chat-configuration/slack-channel/alert-runners]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 10s elapsed]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 20s elapsed]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 30s elapsed]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 40s elapsed]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 50s elapsed]
awscc_chatbot_slack_channel_configuration.alert_runners: Still modifying... [id=arn:aws:chatbot::***:chat-conf...lack-channel/alert-runners, 1m0s elapsed]
^C
Interrupt received.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...

Steps to Reproduce

I tried to make minimum reproduction, but terraform apply was successfully completed in the minimum case below. sorry...

import {
  to = aws_iam_role.aws_chatbot_role
  id = "AWSChatbotRole"
}

terraform {
  required_providers {
    awscc = {
      source  = "hashicorp/awscc"
      version = "1.1.0"
    }
  }
}

# Configure the AWS CC Provider
provider "awscc" {
  region = "ap-northeast-1"
}

data "aws_iam_role" "aws_chatbot_role" {
  name = "AWSChatbotRole"
}

resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
  configuration_name = "alert"
  iam_role_arn       = data.aws_iam_role.aws_chatbot_role.arn
  slack_workspace_id = "***"
  slack_channel_id   = "***"
}

Important Factoids

terraform apply is completed successfully when I filled tags. I hit this case in v1.1.0 and v1.2.0.(In v1.0.0, terraform apply is completed.)

References

quixoticmonk commented 2 months ago

I am unable to reproduce the issue with the configuration below.

resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
  configuration_name = "alert-runners"
  iam_role_arn       = data.aws_iam_role.aws_chatbot_role.arn
  slack_workspace_id = "*****"   
  slack_channel_id   = "*****" 

  sns_topic_arns = ["arn:aws:sns:us-east-2:****:test"]
}

Apply:

data.aws_iam_role.aws_chatbot_role: Reading...
data.aws_iam_role.aws_chatbot_role: Read complete after 0s [id=Admin]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # awscc_chatbot_slack_channel_configuration.alert_runners will be created
  + resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
      + arn                = (known after apply)
      + configuration_name = "alert-runners"
      + guardrail_policies = (known after apply)
      + iam_role_arn       = "arn:aws:iam::############:role/Admin"
      + id                 = (known after apply)
      + logging_level      = "NONE"
      + slack_channel_id   = "****"
      + slack_workspace_id = "*****"
      + sns_topic_arns     = [
          + "arn:aws:sns:us-east-2:############:test",
        ]
      + tags               = (known after apply)
      + user_role_required = false
    }

Plan: 1 to add, 0 to change, 0 to destroy.
awscc_chatbot_slack_channel_configuration.alert_runners: Creating...
awscc_chatbot_slack_channel_configuration.alert_runners: Creation complete after 6s [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

Additional scenarios tested:

quixoticmonk commented 2 months ago

Adding one observation. Commenting out tags on the existing resource is not getting recognized and Terraform provides a no change message. Will review this further. But the original issue with or without tags is not reproducible.

@012xx Can you post the debug logs from your side ?

uta8a commented 2 months ago

@quixoticmonk I am from the same team as @012xx . I will reply on her behalf.

Can you post the debug logs from your side ?

In our own production environment, we have already carried out the work of adding tags as a work-around. We are therefore unable to downgrade awscc provider version.

Therefore, we experimented with the minimum configuration again. We tried the following, but did not reproduce the issue.

  1. Create awscc_chatbot_slack_channel_configuration resource in v1.0.0
  2. Upgrade to v1.1.0 and terraform plan → no changes
  3. Upgrade to v1.1.0 and changesns_topic_arns in awscc_chatbot_slack_channel_configuration and terraform apply → Log shows tags = (known after apply) but apply completed immediately.(did not reproduce)

I will show the log at step 3.

data.aws_iam_role.aws_chatbot_role: Reading...
data.aws_iam_role.aws_chatbot_role: Read complete after 0s [id=AWSChatbotRole]
awscc_chatbot_slack_channel_configuration.ept_alert_runners: Refreshing state... [id=arn:aws:chatbot::***:chat-configuration/slack-channel/ept-4589]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # awscc_chatbot_slack_channel_configuration.ept_alert_runners will be updated in-place
  ~ resource "awscc_chatbot_slack_channel_configuration" "ept_alert_runners" {
        id                 = "arn:aws:chatbot::***:chat-configuration/slack-channel/ept-4589"
      ~ sns_topic_arns     = [
            "arn:aws:sns:ap-northeast-1:***:LambdaErrorAlert_hoge",
          - "arn:aws:sns:ap-northeast-1:***:LambdaErrorAlert_foo",
        ]
      + tags               = (known after apply)
        # (8 unchanged attributes hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
awscc_chatbot_slack_channel_configuration.ept_alert_runners: Modifying... [id=arn:aws:chatbot::***:chat-configuration/slack-channel/ept-4589]
awscc_chatbot_slack_channel_configuration.ept_alert_runners: Modifications complete after 6s [id=arn:aws:chatbot::***:chat-configuration/slack-channel/ept-4589]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Thanks.

quixoticmonk commented 2 months ago

Thank you, @uta8a. I followed your steps and I was able to reproduce the plan diff for tags. The Terraform apply does complete without issues you pointed out. Is the original issue now not reproducible ?

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_chatbot_slack_channel_configuration.alert_runners will be updated in-place
  ~ resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
        id                 = "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners"
      ~ sns_topic_arns     = [
          ~ "arn:aws:sns:us-east-1:############:test" -> "arn:aws:sns:us-east-1:############:test",
        ]
      + tags               = (known after apply)
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
awscc_chatbot_slack_channel_configuration.alert_runners: Modifying... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]
awscc_chatbot_slack_channel_configuration.alert_runners: Modifications complete after 7s [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]
quixoticmonk commented 2 months ago

I am not able to reproduce the issue where the resource provisioning is stuck at modifying with the steps above similar to the comment https://github.com/hashicorp/terraform-provider-awscc/issues/1841#issuecomment-2188270523 . I am going to mark this issue as not-reproducible. If you see this issue come up again, please do re-open this or open a new issue with the debug logs to see if there are any additional constraints we have not looked into.

uta8a commented 2 months ago

@quixoticmonk Thank you. We still could not reproduce the issue here, so we would appreciate if you would close this issue. Thanks for your response!

quixoticmonk commented 2 months ago

Closing the issue based on the comment above.

rribeiro1 commented 1 month ago

I'm encountering the same issue with this resource. The first terraform apply works perfectly, but on subsequent plans/applies, it tries to change the tags and gets stuck:

resource "awscc_chatbot_slack_channel_configuration" "this" {
  configuration_name = var.configuration_name
  iam_role_arn       = aws_iam_role.chatbot.arn
  slack_channel_id   = var.slack_channel_id
  slack_workspace_id = var.slack_workspace_id
  sns_topic_arns     = var.sns_topic_arns
  logging_level      = var.logging_level
}

Terraform will perform the following actions:

  # module.system_alerts.awscc_chatbot_slack_channel_configuration.this will be updated in-place
  ~ resource "awscc_chatbot_slack_channel_configuration" "this" {
        id                 = "arn:aws:chatbot::176063274327:chat-configuration/slack-channel/labtwin-operations-alarms-notification"
      + tags               = (known after apply)
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

module.system_alerts.awscc_chatbot_slack_channel_configuration.this: Still modifying... [id=arn:aws:chatbot::176063274327:chat-conf...labtwin-operations-alarms-notification, 30s elapsed]
module.system_alerts.awscc_chatbot_slack_channel_configuration.this: Still modifying... [id=arn:aws:chatbot::176063274327:chat-conf...labtwin-operations-alarms-notification, 40s elapsed]
module.system_alerts.awscc_chatbot_slack_channel_configuration.this: Still modifying... [id=arn:aws:chatbot::176063274327:chat-conf...labtwin-operations-alarms-notification, 50s elapsed]
^CStopping operation...

Interrupt received.

I am passing two SNS topics to sns_topic_arns. It works when I remove one of the SNS topics and re-apply, but the next terraform plan will try to change only the tags and I will face the same issue mentioned above. Adding a lifecycle to ignore changes on tags does not work either.

I am using the provider version 1.4.0. Should I open a different issue for this?

maksar commented 1 month ago

Same issue on 1.5.0. Downgrade to 1.0.0 helped

quixoticmonk commented 1 month ago

I have been testing this across both 1.4.0 and 1.5.0 versions. 

awscc_iam_role.example: Still creating... [10s elapsed]
awscc_iam_role.example: Still creating... [20s elapsed]
awscc_iam_role.example: Creation complete after 22s [id=ChatBot-Channel-Role]
awscc_chatbot_slack_channel_configuration.alert_runners: Creating...
awscc_chatbot_slack_channel_configuration.alert_runners: Creation complete after 6s [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

->
terraform apply

awscc_iam_role.example: Refreshing state... [id=ChatBot-Channel-Role]
awscc_chatbot_slack_channel_configuration.alert_runners: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

I had the below config on my side.

resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
  configuration_name = "alert-runners"
  iam_role_arn       = awscc_iam_role.example.arn
  slack_workspace_id = "******"   
  slack_channel_id   = "*****" 

  sns_topic_arns = ["arn:aws:sns:us-east-1:######:test","arn:aws:sns:us-east-1:######:test2"]
  logging_level = "INFO"

}

Terraform version constraints I am working with.

Terraform v1.9.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.58.0
+ provider registry.terraform.io/hashicorp/awscc v1.5.0

Will test this further on an earlier version and an update.

quixoticmonk commented 1 month ago

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

* Re-apply

awscc_iam_role.example: Refreshing state... [id=ChatBot-Channel-Role] awscc_chatbot_slack_channel_configuration.alert_runners: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

* Upgrade awscc to v1.5.0

Initializing the backend... Initializing provider plugins...


* Re-apply

awscc_iam_role.example: Refreshing state... [id=ChatBot-Channel-Role] awscc_chatbot_slack_channel_configuration.alert_runners: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed

quixoticmonk commented 1 month ago 
awscc_iam_role.example: Refreshing state... [id=ChatBot-Channel-Role]
awscc_chatbot_slack_channel_configuration.alert_runners: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_chatbot_slack_channel_configuration.alert_runners will be updated in-place
  ~ resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
        id                 = "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners"
      ~ sns_topic_arns     = [
            "arn:aws:sns:us-east-1:############:test",
          - "arn:aws:sns:us-east-1:############:test2",
        ]
      + tags               = (known after apply)
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
awscc_chatbot_slack_channel_configuration.alert_runners: Modifying... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]
awscc_chatbot_slack_channel_configuration.alert_runners: Modifications complete after 6s [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

awscc_iam_role.example: Refreshing state... [id=ChatBot-Channel-Role]
awscc_chatbot_slack_channel_configuration.alert_runners: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners]

No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
quixoticmonk commented 1 month ago

@maksar @rribeiro1 are you able to provide some debug logs on this from your side ? Looking for a line Detected value change between proposed new state and prior state

mkLotto commented 1 month ago

I got same issue

terraform version: 1.9.2 hashicorp/aws: 5.60.0 hashicorp/awscc: 1.7.0

https://github.com/hashicorp/terraform-provider-awscc/issues/1841#issuecomment-2227393788

some debug logs on this from your side ? @quixoticmonk

I hope it is what you want info

2024-08-01T16:34:48.313+0900 [DEBUG] provider.terraform-provider-awscc_v1.7.0_x5: Detected value change between proposed new state and prior state: @caller=github.com/hashicorp/terraform-plugin-framework@v1.10.0/internal/fwserver/server_planresourcechange.go:208 tf_attribute_path=sns_topic_arns tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_rpc=PlanResourceChange @module=sdk.framework tf_req_id=3836a1aa-d6bb-f1a1-5231-2115a0815a0b tf_resource_type=awscc_chatbot_slack_channel_configuration timestamp="2024-08-01T16:34:48.313+0900"
quixoticmonk commented 1 month ago

Thanks for providing the debug logs @mkLotto . I can see it is identifying a change in sns_topic_arns. Can you help me understand if there is any visible difference between the configuration below and yours ?

There is some difference in the configuration I am using to reproduce between all of yours as I don't see the modification failures in a legitimate case of updated topic_arns or regular re-apply.

resource "awscc_chatbot_slack_channel_configuration" "alert_runners" {
  configuration_name = "alert-runners"
  iam_role_arn       = "arn:aws:iam::############:role/Admin"
  slack_workspace_id = "****"   
  slack_channel_id   = "****" 

  sns_topic_arns = var.sns_topic_arns
  logging_level = "INFO"
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

variable "sns_topic_arns" {
  default = ["arn:aws:sns:us-east-1:############:test","arn:aws:sns:us-east-1:############:test2"]
}

With one scenario I saw a peculiar behavior ( which didn't though). The deletion of test topic which was already present there, somehow makes me think this is an set vs list issue somewhere.

      ~ sns_topic_arns     = [
          - "arn:aws:sns:us-east-1:#############:test",
            "arn:aws:sns:us-east-1:#############:test2",
          + "arn:aws:sns:us-east-1:#############:test",
          + "arn:aws:sns:us-east-1:#############:config-topic-#############",
        ]

Out of curiosity, do you see the same behavior if the topic_arns is a toset(var.sns_topic_arns) ?

mkLotto commented 1 month ago

@quixoticmonk Thank you for following up.

I tried toset(var.sns_topic_arns) but it does not work in my definition.

my manifest is like below


resource "awscc_chatbot_slack_channel_configuration" "bbb_conf" {
  configuration_name = "bbb-slack-channel-config"
  iam_role_arn       = awscc_iam_role.sample_role.arn
  slack_channel_id   = "xxx"
  slack_workspace_id = data.aws_chatbot_slack_workspace.xxx.slack_team_id
  sns_topic_arns = toset([
    aws_sns_topic.slack_tocpic.arn,
    aws_sns_topic.aaa.arn,
    aws_sns_topic.bbb.arn,
    aws_sns_topic.ccc.arn
  ])
}

resource "aws_sns_topic" "slack_tocpic" {
  name = "slack_tocpic"
}

resource "aws_sns_topic_policy" "slack_tocpic_policy" {
  arn = aws_sns_topic.slack_tocpic.arn
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "__default_policy_ID"
    Statement = [
      {
        Sid    = "__default_statement_ID"
        Effect = "Allow"
        Principal = {
          AWS = "*"
        }
        Action = [
          "SNS:GetTopicAttributes",
          "SNS:SetTopicAttributes",
          "SNS:AddPermission",
          "SNS:RemovePermission",
          "SNS:DeleteTopic",
          "SNS:Subscribe",
          "SNS:ListSubscriptionsByTopic",
          "SNS:Publish",
          "SNS:Receive",
        ]
        Resource = "arn:aws:sns:ap-northeast-1:12345:slack_tocpic"
        Condition = {
          StringEquals = {
            "AWS:SourceOwner" = "12345"
          }
        }
      },
      {
        xxxx
      },
      {
        Sid    = ""
        Effect = "Allow"
        Principal = {
          Service = "events.amazonaws.com"
        }
        Action   = "sns:Publish"
        Resource = aws_sns_topic.slack_tocpic.arn
      }
    ]
  })
}

resource "awscc_iam_role" "sample_role" {
  role_name = "sample_role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "chatbot.amazonaws.com"
        }
      },
    ]
  })
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AWSResourceExplorerReadOnlyAccess",
    aws_iam_policy.sample_policy.arn
  ]
}

resource "aws_iam_policy" "sample_policy" {
  name = "sample_policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "cloudwatch:Describe*",
          "cloudwatch:Get*",
          "cloudwatch:List*"
        ]
        Effect   = "Allow"
        Resource = "*"
      }
    ]
  })
}
quixoticmonk commented 1 month ago

Just tested your config and what I see is below . I am going to try have someone else on my side test this and try to reproduce. Thank you for the patience on this.

data.aws_caller_identity.current: Reading...
aws_iam_policy.sample_policy: Refreshing state... [id=arn:aws:iam::############:policy/sample_policy]
aws_sns_topic.topic2: Refreshing state... [id=arn:aws:sns:us-east-1:############:topic2]
aws_sns_topic.topic1: Refreshing state... [id=arn:aws:sns:us-east-1:############:topic1]
data.aws_caller_identity.current: Read complete after 0s [id=############]
aws_sns_topic_policy.topic1: Refreshing state... [id=arn:aws:sns:us-east-1:############:topic1]
awscc_iam_role.sample_role: Refreshing state... [id=sample_role]
awscc_chatbot_slack_channel_configuration.example: Refreshing state... [id=arn:aws:chatbot::############:chat-configuration/slack-channel/slack_config]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
mkLotto commented 1 month ago

I found solution in my situation.

I applied like below config and encountered similar with https://github.com/hashicorp/terraform-provider-awscc/issues/1841#issuecomment-2216844205.

provider "aws" {
  region = var.region
  default_tags {
    tags = {
      ManagedBy = "terraform"
    }
  }
}

provider "awscc" {
  region = var.region
}

resource "awscc_chatbot_slack_channel_configuration" "bbb_conf" {
  configuration_name = "bbb-slack-channel-config"
  iam_role_arn       = awscc_iam_role.sample_role.arn
  slack_channel_id   = "xxx"
  slack_workspace_id = data.aws_chatbot_slack_workspace.xxx.slack_team_id
  sns_topic_arns = toset([
    aws_sns_topic.slack_tocpic.arn,
    aws_sns_topic.aaa.arn,
    aws_sns_topic.bbb.arn,
    aws_sns_topic.ccc.arn
  ])
}

tried adding tags field then terraform apply has succeeded.

resource "awscc_chatbot_slack_channel_configuration" "bbb_conf" {

  xxxx

  # add tags explicitly
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

@quixoticmonk Thank you for your support.

And I hope this info helps someone who encounter same troubles.

quixoticmonk commented 4 weeks ago

From additional debugging.

Debug log


2024-08-05T14:51:22.285-0400 [WARN]  Provider "registry.terraform.io/hashicorp/awscc" produced an unexpected new value for awscc_chatbot_slack_channel_configuration.alert_runners during refresh.
      - .sns_topic_arns[0]: was cty.StringVal("arn:aws:sns:us-east-1:############:config-topic-############"), but now cty.StringVal("arn:aws:sns:us-east-1:############:test")
      - .sns_topic_arns[1]: was cty.StringVal("arn:aws:sns:us-east-1:############:test"), but now cty.StringVal("arn:aws:sns:us-east-1:############:config-topic-############")
2024-08-05T14:51:22.286-0400 [DEBUG] skipping FixUpBlockAttrs
2024-08-05T14:51:22.290-0400 [DEBUG] provider.terraform-provider-awscc_v1.8.0_x5: Detected value change between proposed new state and prior state: @caller=github.com/hashicorp/terraform-plugin-framework@v1.10.0/internal/fwserver/server_planresourcechange.go:208 tf_attribute_path=sns_topic_arns tf_resource_type=awscc_chatbot_slack_channel_configuration tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=5a954e65-5073-803a-b631-319ed411d99a tf_rpc=PlanResourceChange @module=sdk.framework timestamp=2024-08-05T14:51:22.290-0400


 tfrd logs/sdk_proto/1722883882291_PlanResourceChange_Response_PlannedState.msgpack
{
  "arn": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "configuration_name": "alert-runners",
  "guardrail_policies": [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ],
  "iam_role_arn": "arn:aws:iam::############:role/sample_role",
  "id": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "logging_level": "NONE",
  "slack_channel_id": "C0796L1UVGB",
  "slack_workspace_id": "T016M3G1GHZ",
  "sns_topic_arns": [
    "arn:aws:sns:us-east-1:############:test",
    "arn:aws:sns:us-east-1:############:config-topic-############",
    "arn:aws:sns:us-east-1:############:test2"
  ],
  "tags": "\u0000",
  "user_role_required": false
}

tfrd logs/sdk_proto/1722883882288_PlanResourceChange_Request_ProposedNewState.msgpack
{
  "arn": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "configuration_name": "alert-runners",
  "guardrail_policies": [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ],
  "iam_role_arn": "arn:aws:iam::############:role/sample_role",
  "id": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "logging_level": "NONE",
  "slack_channel_id": "C0796L1UVGB",
  "slack_workspace_id": "T016M3G1GHZ",
  "sns_topic_arns": [
    "arn:aws:sns:us-east-1:############:config-topic-############",
    "arn:aws:sns:us-east-1:############:test",
    "arn:aws:sns:us-east-1:############:test2"
  ],
  "tags": null,
  "user_role_required": false
}

tfrd logs/sdk_proto/1722883882288_PlanResourceChange_Request_PriorState.msgpack
{
  "arn": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "configuration_name": "alert-runners",
  "guardrail_policies": [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ],
  "iam_role_arn": "arn:aws:iam::############:role/sample_role",
  "id": "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners",
  "logging_level": "NONE",
  "slack_channel_id": "C0796L1UVGB",
  "slack_workspace_id": "T016M3G1GHZ",
  "sns_topic_arns": [
    "arn:aws:sns:us-east-1:############:test",
    "arn:aws:sns:us-east-1:############:config-topic-############",
    "arn:aws:sns:us-east-1:############:test2"
  ],
  "tags": null,
  "user_role_required": false
}


aws cloudcontrol get-resource --type-name AWS::Chatbot::SlackChannelConfiguration --identifier "arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners" | jq .ResourceDescription.Properties

"{\"UserRoleRequired\":false,\"LoggingLevel\":\"NONE\",
\"SnsTopicArns\":
[\"arn:aws:sns:us-east-1:############:test\",
\"arn:aws:sns:us-east-1:############:config-topic-############\",
\"arn:aws:sns:us-east-1:############:test2\"]
,\"GuardrailPolicies\":[\"arn:aws:iam::aws:policy/AdministratorAccess\"],\"SlackWorkspaceId\":\"T016M3G1GHZ\",\"SlackChannelId\":\"C0796L1UVGB\",\"IamRoleArn\":\"arn:aws:iam::############:role/sample_role\",\"ConfigurationName\":\"alert-runners\",\"Arn\":\"arn:aws:chatbot::############:chat-configuration/slack-channel/alert-runners\",\"Tags\":[]}"

The order returned by Cloud control doesn't match what is in state and configuration resulting in provider re-applying some of the configuration.

quixoticmonk commented 4 weeks ago

Opened an internal ticket to review the schema and the order referenced in the get-resource call.

meraj-kashi commented 2 weeks ago

Same issue here.

terraform version: v1.9.2
awscc v1.9.0
aws v5.62.0
resource "awscc_chatbot_microsoft_teams_channel_configuration" "chatbot" {
  configuration_name = "chatbot"
  iam_role_arn       = aws_iam_role.chatbot_role.arn
  team_id            = local.teams_team_id
  teams_channel_id   = lower(local.team_channel_id)
  teams_tenant_id    = local.teams_tenant_id
  sns_topic_arns = [
    module.log_archive_eu-north-1.cloudwatch_alarm_topic,
    module.log_archive_eu-west-1.cloudwatch_alarm_topic,
  ]
}

image