awscc_ecr_repository: drift detected between subsequent terraform applies

mattburgess commented 1 month ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

terraform -v Terraform v1.9.3 on linux_amd64

provider registry.terraform.io/hashicorp/awscc v1.10.0

Affected Resource(s)

awscc_ecr_repository

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_ecr_repository" "ecr" {
  repository_name = "this"
}

Debug Output

Panic Output

Expected Behavior

Running terraform apply having made no change to the resource should show no changes to be applied

Actual Behavior

The 2nd plan/apply produces:

Terraform will perform the following actions:

  # awscc_ecr_repository.ecr will be updated in-place
  ~ resource "awscc_ecr_repository" "ecr" {
      + empty_on_delete              = (known after apply)
        id                           = "vpc-tester"
      + lifecycle_policy             = (known after apply)
      + repository_policy_text       = (known after apply)
      + tags                         = (known after apply)
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

terraform apply
terraform apply

Important Factoids

I can make the diff go away if I explicitly state the encryption_configuration in my config, e.g.

resource "awscc_ecr_repository" "ecr" {
  repository_name = "example"

  encryption_configuration = {
    encryption_type = "AES256"
  }
}

References

0000

quixoticmonk commented 1 month ago

Thank you for opening the issue @mattburgess . This looks like the default encryption being set on ECR which the state file and your prior state( after deployment) pulls down against the proposed state which doesn't have it ( mapped to your configuration). The drift doesn't exist as you pass in the default encryption config as in your second example.

Debug log

2024-08-22T19:26:28.121-0400 [DEBUG] provider.terraform-provider-awscc_v1.10.0_x5: 
Detected value change between proposed new state and prior state: 
tf_provider_addr=registry.terraform.io/hashicorp/awscc 
tf_resource_type=awscc_ecr_repository 
@caller=github.com/hashicorp/terraform-plugin-framework@v1.11.0/internal/fwserver/server_planresourcechange.go:208 
@module=sdk.framework 
tf_attribute_path=encryption_configuration 
tf_req_id=87562fc7-79a3-eab2-1c99-5bd04f2c52f8 tf_rpc=PlanResourceChange timestamp=2024-08-22T19:26:28.120-0400

PlanResourceChange_Request_ProposedNewState.msgpack
{
  "arn": "arn:aws:ecr:us-east-1:############:repository/this",
  "empty_on_delete": null,
  "encryption_configuration": null,
  "id": "this",
  "image_scanning_configuration": {
    "scan_on_push": false
  },
  "image_tag_mutability": "MUTABLE",
  "lifecycle_policy": null,
  "repository_name": "this",
  "repository_policy_text": null,
  "repository_uri": "############.dkr.ecr.us-east-1.amazonaws.com/this",
  "tags": null

PlanResourceChange_Request_PriorState.msgpack
{
  "arn": "arn:aws:ecr:us-east-1:############:repository/this",
  "empty_on_delete": null,
  "encryption_configuration": {
    "encryption_type": "AES256",
    "kms_key": null
  },
  "id": "this",
  "image_scanning_configuration": {
    "scan_on_push": false
  },
  "image_tag_mutability": "MUTABLE",
  "lifecycle_policy": null,
  "repository_name": "this",
  "repository_policy_text": null,
  "repository_uri": "############.dkr.ecr.us-east-1.amazonaws.com/this",
  "tags": null
}

quixoticmonk commented 1 month ago

Opening an internal ticket to review if the schema should have the default encryption included.

wellsiau-aws commented 1 month ago

The latest CFN schema for AWS::ECR::Repository does not have default value included for EncryptionType:

    "EncryptionType" : {
      "type" : "string",
      "description" : "The encryption type to use.",
      "enum" : [ "AES256", "KMS" ]
    },

hashicorp / terraform-provider-awscc