Resource `awscc_apprunner_service` non-mandatory attributes forcing replacement on update

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.3.5 on windows_amd64

provider registry.terraform.io/hashicorp/aws v4.51.0
provider registry.terraform.io/hashicorp/awscc v0.45.0

Affected Resource(s)

awscc_apprunner_service

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_apprunner_service" "example" {
  service_name                   = "example"
  auto_scaling_configuration_arn = aws_apprunner_auto_scaling_configuration_version.example.arn

  instance_configuration = {
    cpu    = 1024
    memory = 2048
  }

  observability_configuration = {
    observability_configuration_arn = awscc_apprunner_observability_configuration.example.observability_configuration_arn
    observability_enabled           = true
  }

  source_configuration = {
    auto_deployments_enabled = true

    authentication_configuration = {
      access_role_arn = aws_iam_role.example.arn
    }

    image_repository = {
      image_repository_type = "ECR"
      image_identifier      = "${aws_ecr_repository.example.repository_url}:latest"
      image_configuration = {
        port = 8080
      }
    }
  }

  network_configuration = {
    egress_configuration = {
      egress_type       = "VPC"
      vpc_connector_arn = awscc_apprunner_vpc_connector.example.vpc_connector_arn
    }
    ingress_configuration = {
      is_publicly_accessible = true 
    }
  }
}

Debug Output

Panic Output

Expected Behavior

During terraform apply (after initial resource deployment) as no changes have been made since the last apply the resource should remain outside of the plan.

Actual Behavior

The resource is marked as forced replacement. The triggering attributes are encryption_configuration.kms_key and tags.

  # awscc_apprunner_service.example must be replaced
-/+ resource "awscc_apprunner_service" "example" {
      + encryption_configuration       = { # forces replacement
          + kms_key = (known after apply)
        } -> (known after apply)
      + tags                           = [ # forces replacement
        ]
        # (4 unchanged attributes hidden)
    }

The expected behavior would be that; a) A tag update would not force a redeploy and; b) If encryption_configuration is not defined in the configuration and during read API returned no KMS defined that this would be ignored/not included in the plan

hashicorp / terraform-provider-awscc