search

hashicorp / terraform-provider-awscc

Terraform AWS Cloud Control provider
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs
Mozilla Public License 2.0
239 stars 107 forks source link

awscc_dynamodb_table - unchanged configuration triggers drift on terraform plan #1855

Open wellsiau-aws opened 4 days ago

wellsiau-aws commented 4 days ago

Community Note

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_dynamodb_table" "table_name" {
  table_name = "table-name"

  key_schema = jsonencode([{
    AttributeName : "id"
    KeyType : "HASH"
  }])
  attribute_definitions = [{
    attribute_name = "id"
    attribute_type = "S"
  }]
  billing_mode = "PAY_PER_REQUEST"
  on_demand_throughput = {
    max_read_request_units  = 10
    max_write_request_units = 10
  }
  deletion_protection_enabled = false
}

Debug Output

2024-06-30T12:24:59.989-0700 [WARN]  Provider "registry.terraform.io/hashicorp/awscc" produced an unexpected new value for awscc_dynamodb_table.table_name during refresh.
      - .key_schema: was cty.StringVal("[{\"AttributeName\":\"id\",\"KeyType\":\"HASH\"}]"), but now null
. . .
2024-06-30T12:25:00.010-0700 [DEBUG] provider.terraform-provider-awscc_v1.4.0_x5: Detected value change between proposed new state and prior state: tf_attribute_path=time_to_live_specification tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=48229811-0d75-10f6-f9c7-cc9dcf15eb02 tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.9.0/internal/fwserver/server_planresourcechange.go:208 @module=sdk.framework tf_resource_type=awscc_dynamodb_table timestamp=2024-06-30T12:25:00.010-0700
2024-06-30T12:25:00.011-0700 [DEBUG] provider.terraform-provider-awscc_v1.4.0_x5: Detected value change between proposed new state and prior state: tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.9.0/internal/fwserver/server_planresourcechange.go:208 tf_attribute_path=key_schema tf_resource_type=awscc_dynamodb_table @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=48229811-0d75-10f6-f9c7-cc9dcf15eb02 timestamp=2024-06-30T12:25:00.010-0700
2024-06-30T12:25:00.011-0700 [DEBUG] provider.terraform-provider-awscc_v1.4.0_x5: Detected value change between proposed new state and prior state: tf_req_id=48229811-0d75-10f6-f9c7-cc9dcf15eb02 tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.9.0/internal/fwserver/server_planresourcechange.go:208 tf_attribute_path=sse_specification tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_resource_type=awscc_dynamodb_table @module=sdk.framework timestamp=2024-06-30T12:25:00.010-0700
2024-06-30T12:25:00.011-0700 [DEBUG] provider.terraform-provider-awscc_v1.4.0_x5: Detected value change between proposed new state and prior state: @caller=github.com/hashicorp/terraform-plugin-framework@v1.9.0/internal/fwserver/server_planresourcechange.go:208 @module=sdk.framework tf_resource_type=awscc_dynamodb_table tf_rpc=PlanResourceChange tf_attribute_path=contributor_insights_specification tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=48229811-0d75-10f6-f9c7-cc9dcf15eb02 timestamp=2024-06-30T12:25:00.

Expected Behavior

Subsequent terraform plan after the first terraform apply should not register any drift

Actual Behavior

Subsequent terraform plan after the first terraform apply detected a drift

awscc_dynamodb_table.table_name: Refreshing state... [id=table-name]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_dynamodb_table.table_name will be updated in-place
  ~ resource "awscc_dynamodb_table" "table_name" {
      + global_secondary_indexes             = (known after apply)
        id                                   = "table-name"
      + import_source_specification          = (known after apply)
      + key_schema                           = jsonencode(
            [
              + {
                  + AttributeName = "id"
                  + KeyType       = "HASH"
                },
            ]
        )
      + kinesis_stream_specification         = (known after apply)
      + local_secondary_indexes              = (known after apply)
      + provisioned_throughput               = (known after apply)
      + resource_policy                      = (known after apply)
      + stream_arn                           = (known after apply)
      + stream_specification                 = (known after apply)
      + table_class                          = (known after apply)
      + tags                                 = (known after apply)
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. terraform apply
  2. terraform plan

Important Factoids

References

wellsiau-aws commented 4 days ago

Debug logs detected changes to the following attributes:

Which I believe related to issue reported on #1216

However, changes detected on key_schema are different because Terraform thinks that key_schema doesn't exist in the previous state 

  # awscc_dynamodb_table.table_name will be updated in-place
  ~ resource "awscc_dynamodb_table" "table_name" {
      + global_secondary_indexes             = (known after apply)
        id                                   = "table-name"
      + import_source_specification          = (known after apply)
      + key_schema                           = jsonencode(
            [
              + {
                  + AttributeName = "id"
                  + KeyType       = "HASH"
                },
            ]
        )
wellsiau-aws commented 4 days ago

Additional debug logs

State file (redacted) key_schema is available in the statefile, as well as CCAPI GetResource.

   {
      "mode": "managed",
      "type": "awscc_dynamodb_table",
      "name": "table_name",
      "provider": "provider[\"registry.terraform.io/hashicorp/awscc\"]",
      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "arn": "arn:aws:dynamodb:us-east-1:204034886740:table/table-name",
            "attribute_definitions": [
              {
                "attribute_name": "id",
                "attribute_type": "S"
              }
            ],
            "id": "table-name",
            "key_schema": "[{\"AttributeName\":\"id\",\"KeyType\":\"HASH\"}]",
    . . .  
    }

PlanResourceChange_Request_PriorState.msgpack Terraform consider that the prior state for the key_schema is null, which is incorrect.

{
  "arn": "arn:aws:dynamodb:us-east-1:204034886740:table/table-name",
  "attribute_definitions": [
    {
      "attribute_name": "id",
      "attribute_type": "S"
    }
  ],
  "billing_mode": "PAY_PER_REQUEST",
  "contributor_insights_specification": {
    "enabled": false
  },
  "deletion_protection_enabled": false,
  "global_secondary_indexes": null,
  "id": "table-name",
  "import_source_specification": null,
  "key_schema": null,
  "kinesis_stream_specification": null,
  "local_secondary_indexes": null,
  "on_demand_throughput": {
    "max_read_request_units": 10,
    "max_write_request_units": 10
  },
  "point_in_time_recovery_specification": {
    "point_in_time_recovery_enabled": false
  },
  "provisioned_throughput": null,
  "resource_policy": null,
  "sse_specification": {
    "kms_master_key_id": null,
    "sse_enabled": false,
    "sse_type": null
  },
  "stream_arn": null,
  "stream_specification": null,
  "table_class": null,
  "table_name": "table-name",
  "tags": null,
  "time_to_live_specification": {
    "attribute_name": null,
    "enabled": false
  }
}

PlanResourceChange_Request_ProposedNewState.msgpack Proposed new state recovers the configuration for key_schema

{
  "arn": "arn:aws:dynamodb:us-east-1:204034886740:table/table-name",
  "attribute_definitions": [
    {
      "attribute_name": "id",
      "attribute_type": "S"
    }
  ],
  "billing_mode": "PAY_PER_REQUEST",
  "contributor_insights_specification": null,
  "deletion_protection_enabled": false,
  "global_secondary_indexes": null,
  "id": "table-name",
  "import_source_specification": null,
  "key_schema": "[{\"AttributeName\":\"id\",\"KeyType\":\"HASH\"}]",
  "kinesis_stream_specification": null,
  "local_secondary_indexes": null,
  "on_demand_throughput": {
    "max_read_request_units": 10,
    "max_write_request_units": 10
  },
  "point_in_time_recovery_specification": {
    "point_in_time_recovery_enabled": false
  },
  "provisioned_throughput": null,
  "resource_policy": null,
  "sse_specification": null,
  "stream_arn": null,
  "stream_specification": null,
  "table_class": null,
  "table_name": "table-name",
  "tags": null,
  "time_to_live_specification": null
}
wellsiau-aws commented 4 days ago

I suspect the problem occurs before PlanResourceChange is called.

Further investigation led to the following:

ReadResource_Request_CurrentState.msgpack key_schema is still available on this stage:

{
  "arn": "arn:aws:dynamodb:us-east-1:204034886740:table/table-name",
  "attribute_definitions": [
    {
      "attribute_name": "id",
      "attribute_type": "S"
    }
  ],
  "billing_mode": "PAY_PER_REQUEST",
  "contributor_insights_specification": {
    "enabled": false
  },
  "deletion_protection_enabled": false,
  "global_secondary_indexes": null,
  "id": "table-name",
  "import_source_specification": null,
  "key_schema": "[{\"AttributeName\":\"id\",\"KeyType\":\"HASH\"}]",
  "kinesis_stream_specification": null,
  "local_secondary_indexes": null,
  "on_demand_throughput": {
    "max_read_request_units": 10,
    "max_write_request_units": 10
  },
  "point_in_time_recovery_specification": {
    "point_in_time_recovery_enabled": false
  },
  "provisioned_throughput": null,
  "resource_policy": null,
  "sse_specification": {
    "kms_master_key_id": null,
    "sse_enabled": false,
    "sse_type": null
  },
  "stream_arn": null,
  "stream_specification": null,
  "table_class": null,
  "table_name": "table-name",
  "tags": null,
  "time_to_live_specification": {
    "attribute_name": null,
    "enabled": false
  }
}

ReadResource_Response_NewState.msgpack And then disappear after ReadResponse is called

{
  "arn": "arn:aws:dynamodb:us-east-1:204034886740:table/table-name",
  "attribute_definitions": [
    {
      "attribute_name": "id",
      "attribute_type": "S"
    }
  ],
  "billing_mode": "PAY_PER_REQUEST",
  "contributor_insights_specification": {
    "enabled": false
  },
  "deletion_protection_enabled": false,
  "global_secondary_indexes": null,
  "id": "table-name",
  "import_source_specification": null,
  "key_schema": null,
  "kinesis_stream_specification": null,
  "local_secondary_indexes": null,
  "on_demand_throughput": {
    "max_read_request_units": 10,
    "max_write_request_units": 10
  },
  "point_in_time_recovery_specification": {
    "point_in_time_recovery_enabled": false
  },
  "provisioned_throughput": null,
  "resource_policy": null,
  "sse_specification": {
    "kms_master_key_id": null,
    "sse_enabled": false,
    "sse_type": null
  },
  "stream_arn": null,
  "stream_specification": null,
  "table_class": null,
  "table_name": "table-name",
  "tags": null,
  "time_to_live_specification": {
    "attribute_name": null,
    "enabled": false
  }
}