Amazon Connect Security Profiles can not be updated

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

terraform -version Terraform v1.2.8 on windows_amd64

provider registry.terraform.io/hashicorp/aws v5.69.0
provider registry.terraform.io/hashicorp/awscc v1.16.1

Your version of Terraform is out of date! The latest version is 1.9.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

awscc_connect_security_profile

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

security-profiles.tf

resource "awscc_connect_security_profile" "jb_cus_admin_profile" {
#update with your instance arn
  instance_arn          = "arn:aws:connect:us-east-1:<XXXXXX>:instance/<XXXXX>"
  security_profile_name = "jb_cus_admin_profile"

  description = "Admin profile for Customer Support"
  allowed_access_control_tags = [
    {
      key   = "company"
      value = "my_Company"
    },
    {
      key   = "lob"
      value = "my_LOB"
    }
  ]
  tag_restricted_resources = [
    "RoutingProfile",
    "OperatingHours",
    "User",
    "SecurityProfile",
    "Queue"
  ]
  tags = [
    {
      key   = "company"
      value = "my_Company"
    },
    {
      key   = "lob"
      value = "my_LOB"
    }
  ]
  permissions = toset([
    "AccessMetrics",
    "AccessMetrics.AgentActivityAudit.Access",
    "AccessMetrics.Dashboards.Access",
    "AccessMetrics.HistoricalMetrics.Access",
    "AccessMetrics.RealTimeMetrics.Access",
    "AgentStates.View",
    "AgentTimeCard.View",
    "AudioDeviceSettings.Access",
    "BasicAgentAccess",
    "ConfigureContactAttributes.View",
    "ContactAttributes.View",
    "ContactLensPostContactSummary.View",
    "ContactSearch.View",
    "ContactSearchWithCharacteristics.View",
    "ContactSearchWithKeywords.View",
    "DeleteCallRecordings",
    "DownloadCallRecordings",
    "GraphTrends.View",
    "ListenCallRecordings",
    "ManagerBargeIn",
    "ManagerListenIn",
    "MetricsReports.Create",
    "MetricsReports.Delete",
    "MetricsReports.Edit",
    "MetricsReports.Publish",
    "MetricsReports.Schedule",
    "MetricsReports.View",
    "MyContacts.View",
    "OutboundCallAccess",
    "PhoneNumbers.View",
    "Queues.View",
    "RealtimeContactLens.View",
    "RedactedData.View",
    "ReportSchedules.Create",
    "ReportSchedules.Delete",
    "ReportSchedules.Edit",
    "ReportSchedules.View",
    "ReportsAdmin.Access",
    "ReportsAdmin.Delete",
    "ReportsAdmin.Publish",
    "ReportsAdmin.Schedule",
    "ReportsAdmin.View",
    "RestrictTaskCreation.Access",
    "RoutingPolicies.Edit",
    "RoutingPolicies.View",
    "Rules.Create",
    "Rules.Delete",
    "Rules.Edit",
    "Rules.View",
    "SecurityProfiles.View",
    "TransferDestinations.View",
    "Users.Edit",
    "Users.View",
    "VoiceId.Access",
    "VoiceIdAttributesAndSearch.View",
    "HistoricalChanges.View"
  ])
}

provider.tf

terraform {
  required_providers {
    aws = {
      source                = "hashicorp/aws"
      version               = ">=5.0.0"
      configuration_aliases = [aws]
    }
    awscc = {
      source                = "hashicorp/awscc"
      version               = ">= 1.0.0"
      configuration_aliases = [awscc]
    }
  }
}

provider "aws" {
}

provider "awscc" {
}

Debug Output

https://gist.github.com/btgann/a9d7bc386f6fbe698a1020c50100351f

Expected Behavior

When deploying Amazon Connect Security Profiles with the awscc provider the resource successfully deploys. Removing or adding new permissions to the profile should update the existing profile.

Actual Behavior

The provider errors and the security profile is not updated.

│ Error: AWS SDK Go Service Operation Unsuccessful │ │ with awscc_connect_security_profile.jb_cus_admin_profile, │ on security_profiles.tf line 1, in resource "awscc_connect_security_profile" "jb_cus_admin_profile": │ 1: resource "awscc_connect_security_profile" "jb_cus_admin_profile" { │ │ Calling Cloud Control API service UpdateResource operation returned: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: d29113aa-e54f-4555-bdef-f9ed3522363b, api error ValidationException:
│ index Out of bound, index is greater than 48

Steps to Reproduce

You will need an Amazon Connect Instance. The Connect Instance arn needs to be updated in the security-profiles.tf file. Use the security-profile.tf to deploy an Amazon Connect Security Profile with terraform. After successfully deploying the security profile remove permissions from the profile by commenting out 10 of the permissions in the list. Apply the change with terraform.

Important Factoids

Looking at the patch document that is sent to the cloud control api through terraform debug and sending the patch document to the api gets the same error message. I can shorten the number of permissions in the patch document and the api will succeed. The number of permissions that can be passed in the patch document is intermittent.

References

0000

The issue is that the permissions are being indexed and a number in the index must be given to remove the permissions. The exact number of that particular permission in the index. So if I look at the configuration in amazon connect there is a list of permissions in alphabetical order.

$ aws connect list-security-profile-permissions --instance-id 78d16dcd-fc58-4d6e-9980-d3ae448bd1b4 --security-profile-id 97af7a26-526a-4da1-a616-2716ee4dcb54                                                                                                                                                         {
    "Permissions": [
        "AccessMetrics",
        "AccessMetrics.AgentActivityAudit.Access",
        "AccessMetrics.Dashboards.Access",
        "AccessMetrics.HistoricalMetrics.Access",
        "AccessMetrics.RealTimeMetrics.Access",
        "RedactedData.View",
        "ReportsAdmin.Access",
        "ReportsAdmin.Publish",
        "ReportsAdmin.Schedule",
        "ReportsAdmin.View",
        "Users.Edit",
        "Users.View"
    ],
    "LastModifiedRegion": "us-east-1",
    "LastModifiedTime": "2024-10-01T07:45:23.965000-04:00"
}

If I look at the list of permissions from the cloud control api. There is a list, but order is not alphabetized. Or in any order I can understand... seems random, but maybe not.

$ aws cloudcontrol get-resource --type-name AWS::Connect::SecurityProfile --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54
{
    "TypeName": "AWS::Connect::SecurityProfile",
    "ResourceDescription": {
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "Properties": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"ReportsAdmin.Publish\",\"Users.Edit\",\"ReportsAdmin.Access\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"AccessMetrics.RealTimeMetrics.Access\"],\"LastModifiedTime\":1.727784501E9,\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"LastModifiedRegion\":\"us-east-1\",\"HierarchyRestrictedResources\":[]}"
    }
}

Now if I want to remove a particular permission I have to count the resources in this permissions list and pass in the permissions index value in the patch document.

aws cloudcontrol update-resource --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54 --type-name AWS::Connect::SecurityProfile --patch-document "[{\"op\":\"remove\",\"path\":\"/Permissions/0\"}]" 
This should remove the ReportsAdmin.Publish permission as its the first permission in the index.
{
    "ProgressEvent": {
        "TypeName": "AWS::Connect::SecurityProfile",
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "RequestToken": "b673d070-3c8e-4ad0-be1f-a2cea6c68526",
        "Operation": "UPDATE",
        "OperationStatus": "IN_PROGRESS",
        "EventTime": "2024-10-01T09:27:25.970000-04:00",
        "ResourceModel": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"Users.Edit\",\"ReportsAdmin.Access\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"AccessMetrics.RealTimeMetrics.Access\"],\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"HierarchyRestrictedResources\":[]}"
    }
}

And the resource after update completes.

$ aws cloudcontrol get-resource --type-name AWS::Connect::SecurityProfile --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54
{
    "TypeName": "AWS::Connect::SecurityProfile",
    "ResourceDescription": {
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "Properties": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"Users.Edit\",\"ReportsAdmin.Access\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"AccessMetrics.RealTimeMetrics.Access\"],\"LastModifiedTime\":1.727789246E9,\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"LastModifiedRegion\":\"us-east-1\",\"HierarchyRestrictedResources\":[]}"
    }
}

So the question is should the cloud control api allow updating the permission list by name? This makes sense, but not sure the cloud control api team would agree. It would be impossible for terraform to know the index value without getting the resource configuration from the cloudcontrol api before trying to make an update. Does that mean the terraform provider has to do some comparison between what the cloudcontrol resource configuration is, the terraform state file, and requested updates?

The one operation I have not tried is inserting a permission with the cloudcontrol api. When doing an add how would you know what index value to use for the insert. The index is not an alphabetized list so not sure what happens when you insert a value into the index.

{"op":"add","path":"/Permissions/7","value":"ContactSearchWithKeywords.Access"}

For example what makes the permission ContactSearchWithKeywords.Access in any given routing profile number 7 in the index?

I can add permissions to the list of permissions by appending to the index.

$ aws cloudcontrol update-resource --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54 --type-name AWS::Connect::SecurityProfile --patch-document "[{\"op\":\"add\",\"path\":\"/Permissions/10\",\"value\":\"HistoricalChanges.View\"}]"
{
    "ProgressEvent": {
        "TypeName": "AWS::Connect::SecurityProfile",
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "RequestToken": "f5d62250-2f7c-4a45-a65b-b06db0ced01d",
        "Operation": "UPDATE",
        "OperationStatus": "IN_PROGRESS",
        "EventTime": "2024-10-01T10:24:26.785000-04:00",
        "ResourceModel": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"Users.Edit\",\"ReportsAdmin.Access\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"AccessMetrics.RealTimeMetrics.Access\",\"HistoricalChanges.View\"],\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"HierarchyRestrictedResources\":[]}"
    }
}

This puts the permission in the index.

$ aws cloudcontrol get-resource --type-name AWS::Connect::SecurityProfile --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54                                                                                     {
    "TypeName": "AWS::Connect::SecurityProfile",
    "ResourceDescription": {
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "Properties": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"Users.Edit\",\"ReportsAdmin.Access\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"HistoricalChanges.View\",\"AccessMetrics.RealTimeMetrics.Access\"],\"LastModifiedTime\":1.727792666E9,\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"LastModifiedRegion\":\"us-east-1\",\"HierarchyRestrictedResources\":[]}"
    }
}

Now the newly added permission, HistoricalChanges.View, is 10 in the index. If I remove a permission, ReportsAdmin.Access, from the index. This changes the permission, HistoricalChanges.View, in the index.

$ aws cloudcontrol update-resource --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54 --type-name AWS::Connect::SecurityProfile --patch-document "[{\"op\":\"remove\",\"path\":\"/Permissions/1\"}]"
{
    "ProgressEvent": {
        "TypeName": "AWS::Connect::SecurityProfile",
        "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
        "RequestToken": "e7c16ad0-18ef-40ee-b29b-856b180da1ee",
        "Operation": "UPDATE",
        "OperationStatus": "IN_PROGRESS",
        "EventTime": "2024-10-01T10:36:19.221000-04:00",
        "ResourceModel": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"Users.Edit\",\"AccessMetrics.HistoricalMetrics.Access\",\"AccessMetrics\",\"ReportsAdmin.Schedule\",\"AccessMetrics.AgentActivityAudit.Access\",\"RedactedData.View\",\"AccessMetrics.Dashboards.Access\",\"ReportsAdmin.View\",\"HistoricalChanges.View\",\"AccessMetrics.RealTimeMetrics.Access\"],\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"HierarchyRestrictedResources\":[]}"
    }
}

There are two options to fix this.

Replace the entire permission list when there is an update. The requires using "replace" as the action in the cloud control api patch document instead of individual adds and remove. This aligns with how the underlying api handles updates. Cloudformation follows this methodology because it uses the under api.

$ aws cloudcontrol update-resource --identifier arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54 --type-name AWS::Connect::SecurityProfile --patch-document "[{\"op\":\"replace\",\"path\":\"/Permissions\",\"value\":[\"HistoricalChanges.View\",\"ReportsAdmin.View\",\"MetricsReports.Delete\",\"ContactAttributes.View\",\"Users.Edit\"]}]"
{
"ProgressEvent": {
    "TypeName": "AWS::Connect::SecurityProfile",
    "Identifier": "arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54",
    "RequestToken": "4f754d8e-66d2-4b3e-8398-1f283c0cbff9",
    "Operation": "UPDATE",
    "OperationStatus": "IN_PROGRESS",
    "EventTime": "2024-10-01T15:48:13.177000-04:00",
    "ResourceModel": "{\"AllowedAccessControlTags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"Description\":\"Admin profile for Customer Support\",\"Applications\":[],\"SecurityProfileArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4/security-profile/97af7a26-526a-4da1-a616-2716ee4dcb54\",\"InstanceArn\":\"arn:aws:connect:us-east-1:126597142151:instance/78d16dcd-fc58-4d6e-9980-d3ae448bd1b4\",\"Permissions\":[\"HistoricalChanges.View\",\"ReportsAdmin.View\",\"MetricsReports.Delete\",\"ContactAttributes.View\",\"Users.Edit\"],\"SecurityProfileName\":\"jb_cus_admin_profile\",\"TagRestrictedResources\":[\"OperatingHours\",\"RoutingProfile\",\"User\",\"SecurityProfile\",\"Queue\"],\"Tags\":[{\"Value\":\"custsvc\",\"Key\":\"lob\"},{\"Value\":\"jb\",\"Key\":\"company\"}],\"HierarchyRestrictedResources\":[]}"
}
}

Retrieve the current state of the security profile from the cloud control api and compare the current index of permissions to the desired state in terraform and make individual add and removes with the correct index value for the permission. Removal must be done in a descending order and then adds can be appended to the index.

@btgann , thanks for reporting the issue. I was able to replicate this issue with smaller resource config to make it easier to debug.

HCL config

shorten for brevity

resource "awscc_connect_security_profile" "jb_cus_admin_profile" {
  instance_arn          = "arn:aws:connect:us-east-1:204034886740:instance/6f462f32-6c4a-45b3-95a6-c657a447c22c"
  . . .
  permissions = tolist([
    "AccessMetrics",
    "AgentStates.View",
    "GraphTrends.View",
    "Users.View",
  ])
}

Terraform state

shorten for brevity

{
  "resources": [
    {
      "mode": "managed",
      "type": "awscc_connect_security_profile",
       . . .
            "permissions": [
              "AccessMetrics",
              "AgentStates.View",
              "GraphTrends.View",
              "Users.View"
            ],

}

Amazon Connect API (direct)

aws connect list-security-profile-permissions --instance-id 6f462f32-6c4a-45b3-95a6-c657a447c22c --security-profile-id b8a09ac9-efc9-4271-9561-f912b7ffdad0
{
    "Permissions": [
        "AccessMetrics",
        "AgentStates.View",
        "GraphTrends.View",
        "Users.View"
    ],
    "LastModifiedRegion": "us-east-1",
    "LastModifiedTime": "2024-10-01T20:02:35.003000-07:00"
}

CCAPI GetResource

aws cloudcontrol get-resource --type-name AWS::Connect::SecurityProfile --identifier arn:aws:connect:us-east-1:204034886740:instance/6f462f32-6c4a-45b3-95a6-c657a447c22c/security-profile/b8a09ac9-efc9-4271-9561-f912b7ffdad0 | jq -r ".ResourceDescription.Properties" | jq ".Permissions"
[
  "Users.View",
  "GraphTrends.View",
  "AccessMetrics",
  "AgentStates.View"
]

It's clear that CCAPI GetResource response is not in the same order with Amazon Connect API nor the HCL config and Terraform statefile.

This I believe is the crux of the problem (ordering on the CCAPI).

To dive deeper, let's say I updated the configuration as follow

HCL Config

shorten for brevity

resource "awscc_connect_security_profile" "jb_cus_admin_profile" {
  instance_arn          = "arn:aws:connect:us-east-1:204034886740:instance/6f462f32-6c4a-45b3-95a6-c657a447c22c"
  . . .
  permissions = tolist([
    "AccessMetrics",
    # "AgentStates.View", <-- comment out
    "GraphTrends.View",
    "Users.View",
  ])
}

Cloud Control API PatchDocument

Shorten for brevity, the patch target removal of permission on index #1, which should be for AgentStates.View

However it's important to remember that on CCAP earlier, index #1 is for GraphTrends.View

 value="[
          {
            "op": "remove",
            "path": "/Permissions/1"
          }
        ]"

Amazon Connect API (direct)

As expected, Connect shown that GraphTrends.View is removed instead of AgentStates.View

aws connect list-security-profile-permissions --instance-id 6f462f32-6c4a-45b3-95a6-c657a447c22c --security-profile-id b8a09ac9-efc9-4271-9561-f912b7ffdad0
{
    "Permissions": [
        "AccessMetrics",
        "AgentStates.View",
        "Users.View"
    ],
    "LastModifiedRegion": "us-east-1",
    "LastModifiedTime": "2024-10-01T20:09:02.037000-07:00"
}

For now, I consider this as upstream AWS issue, because the response from CCAPI != Amazon Connect.

Fixing the ordering on the CCAPI is the most straightforward way, considering the Connect API already stores the permissions in alphabetical order. As such, by updating any permission in the list on HCL, AWSCC can order the list and specify the index to remove and it will match the same index number in Connect API. This was described earlier in here

There's also opportunity for AWSCC to try re-conciliate the order of permissions items to match output from CCAPI. This might require custom plan modifiers beyond what we have today (UseStateForUnknown) and I consider as non-preferential way to do it.

This is not an upstream-aws issue. The issue is related to how the awscc provider is writing a patch document for adding and removing permissions with an index value. The alignment of the permission to a particular index value cannot be guaranteed and the terraform resource updates fail if the permissions are not aligned in the index with the terraform state.

The awscc provider is not reading the configuration from the cloud control api and making a comparison of the current state to the desired state, while indexing the permission list. The awscc provider is assuming the state has not changed, (permission list with index), and erroring if the state does not match.

For example if I remove a permission from the list in the console and then run an update with terraform the awscc provider the operation will fail. This is because the index of the permission is not the same as in the terraform state.

The provider should update the resource based on the desired state in the terraform configuration file.

This update can be accomplished by using the "replace" operation in the patch document instead of individual "add" and "remove" operations. This would be consistent with the underlying apis expected operations.

What drives the decision to use "add" and "remove" operations versus "replace" in the provider logic?

hashicorp / terraform-provider-awscc