Plan changes on every execution even though there are no changes to the code

[karolpivo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.18.1 on Linux Ubuntu 22.04lts

• provider registry.terraform.io/hashicorp/google v5.33.0
• provider registry.terraform.io/hashicorp/google-beta vX.X.X

Affected Resource(s)

google_securityposture_posture

Terraform Configuration

resource "google_securityposture_posture" "security-posture"{
  posture_id  = "security_posture"
  parent      = "organizations/${var.org_id}"
  location    = "global"
  state       = "ACTIVE"
  description = "Security Posture"
  policy_sets {
    policy_set_id = "Org policies"
    description   = "Set of Org Policies for"
    policies {
      policy_id = "Define allowed external IPs for VM instances"
      description = "Prevent the creation of Compute instances with a public IP, which can expose them to internet ingress and egress."
      constraint {
        org_policy_constraint {
          canned_constraint_id = "compute.vmExternalIpAccess"
          policy_rules {
            deny_all = true
          }
        }
      }
    }
    policies {
      policy_id = "Disable Automatic IAM Grants for Default Service Accounts"
      description = "Prevent default service accounts from receiving the overly-permissive IAM role Editor at creation."
      constraint {
        org_policy_constraint {
          canned_constraint_id = "iam.automaticIamGrantsForDefaultServiceAccounts"
          policy_rules {
            enforce = true
          }
        }
      }
    }
    policies {
      policy_id = "Allow Gneration 2 Cloud Functions only"
      description = "Allow Gneration 2 Cloud Functions only. Prevents deployment of gen1 Cloud Functions."
      constraint {
        org_policy_constraint {
          canned_constraint_id = "cloudfunctions.restrictAllowedGenerations"
          policy_rules {
            values {
                allowed_values = ["2ndGen"]
            }
          }
        }
      }
    }
    policies {
      policy_id = "Disallow public ingress for Cloud Run"
      description = "Disallow public ingress for Cloud Run and Cloud Functions (gen2), allowing only internal and load balancer ingress."
      constraint {
        org_policy_constraint {
          canned_constraint_id = "run.allowedIngress"
          policy_rules {
            values {
                allowed_values = [
                    "internal-and-cloud-load-balancing",
                    "internal"
                ]
            }
          }
        }
      }
    }
  }
}

Debug Output

No response

Expected Behavior

Plan does not change if the configuration does not change

Actual Behavior

Terraform wants to update-in-place on every plan execution even if the code does not change. It appears to be re-ordering the policies every time

Steps to reproduce

1. terraform apply
2. terraform plan

Important Factoids

No response

References

No response

b/348054918

[ggtisc]

After some tries due to restrictions it isn't possible to reproduce this issue. It looks like a permadiff. I'm forwarding this issue to check it internally. it looks fairly like the case that policy_sets is a set instead of a list.