aws.amplify.DomainAssociation always wants to update despite no changes

[james-tindal]

Describe what happened

Pulumi always thinks my code has had a certificateSettings key removed from the DomainAssociation arguments. The problem is fixed by adding certificateSettings: { type: 'AMPLIFY_MANAGED' } to the DomainAssociation arguments.

Sample program

The code:

```ts import * as pulumi from '@pulumi/pulumi' import * as aws from '@pulumi/aws' const config = new pulumi.Config() const githubRepo = 'james-tindal/game-of-life' const githubToken = config.requireSecret('github-access-token') const amplifyApp = new aws.amplify.App('amplify-game-of-life', { name: `game-of-life.jamestindal.co.uk`, repository: `https://github.com/${githubRepo}`, accessToken: githubToken, buildSpec: ` version: 1 frontend: artifacts: baseDirectory: src files: - '**/*' ` }) const mainBranch = new aws.amplify.Branch('amplify main branch', { appId: amplifyApp.id, branchName: 'main' }) const domainAssociation = new aws.amplify.DomainAssociation('domain association', { appId: amplifyApp.id, domainName: 'jamestindal.co.uk', subDomains: [{ branchName: mainBranch.branchName, prefix: 'game-of-life', }], waitForVerification: true }) ```

Log output

pulumi preview:

pulumi preview --diff:

Affected Resource(s)

aws.amplify.DomainAssociation

Output of pulumi about

``` CLI Version 3.123.0 Go Version go1.22.5 Go Compiler gc Plugins KIND NAME VERSION resource aws 6.44.0 resource aws 6.44.0 resource awsx 2.13.0 resource awsx 2.13.0 resource docker 4.5.4 resource docker 4.5.4 resource docker 3.6.1 resource docker 3.6.1 language nodejs unknown Host OS darwin Version 14.5 Arch x86_64 This project is written in nodejs: executable='/usr/local/bin/node' version='v22.4.1' Backend Name pulumi.com URL https://app.pulumi.com/uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ User uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ Organizations uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ Token type personal Pulumi locates its logs in /var/folders/_8/k71zvsq96fz4rvtrdyygkhx00000gp/T/ by default warning: Failed to get information about the Pulumi program's dependencies: could not find either /Users/user/code/james-tindal.co.uk/yarn.lock or /Users/user/code/james-tindal.co.uk/package-lock.json warning: Failed to get information about the current stack: No current stack ```

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

@james-tindal thanks for bringing this to our attention. I've been able to repro this and confirm that this is only an issue with Pulumi (Terraform does not have this issue).

I also tried this with PlanResourceChange which did not fix the issue.

Note: If you want to try and reproduce this you will need a real domain (domain_name) and will have to manually add the CNAME records while the domain association is creating.

https://github.com/hashicorp/terraform-provider-aws/blob/c1277a5b4f3c4c9d6e04b83805809dcd26e7d1e5/internal/service/amplify/domain_association.go#L52-L74

Terraform code:

```hcl locals { github_repo = "" github_token = "" domain_name = "" } resource "aws_amplify_app" "example" { name = "game-of-life.${local.domain_name}" repository = "https://github.com/${local.github_repo}" access_token = local.github_token build_spec = <<-EOT version: 1 frontend: artifacts: baseDirectory: src files: - '**/*' EOT } resource "aws_amplify_branch" "example" { app_id = aws_amplify_app.example.id branch_name = "main" } resource "aws_amplify_domain_association" "example" { app_id = aws_amplify_app.example.id domain_name = local.domain_name sub_domain { branch_name = aws_amplify_branch.example.branch_name prefix = "game-of-life" } wait_for_verification = true } ```

grpc logs:

```console { "method": "/pulumirpc.ResourceProvider/Diff", "request": { "id": "dwe82rhfivmh8/corymhall.com", "urn": "urn:pulumi:dev::pulumi-typescript-app::aws:amplify/domainAssociation:DomainAssociation::domain association", "olds": { "appId": "dwe82rhfivmh8", "arn": "arn:aws:amplify:us-east-2:616138583583:apps/dwe82rhfivmh8/domains/corymhall.com", "certificateSettings": { "certificateVerificationDnsRecord": "_38981cc15793fe1fa9d171106734e757.corymhall.com. CNAME _d7b11b54b4354db45e28cb990e01cdc2.sdgjtdhdhz.acm-validations.aws.", "customCertificateArn": "", "type": "AMPLIFY_MANAGED" }, "certificateVerificationDnsRecord": "_38981cc15793fe1fa9d171106734e757.corymhall.com. CNAME _d7b11b54b4354db45e28cb990e01cdc2.sdgjtdhdhz.acm-validations.aws.", "domainName": "corymhall.com", "enableAutoSubDomain": false, "id": "dwe82rhfivmh8/corymhall.com", "subDomains": [ { "branchName": "main", "dnsRecord": "game-of-life CNAME d1vk7opjtvrijc.cloudfront.net", "prefix": "game-of-life", "verified": true } ], "waitForVerification": true }, "news": { "__defaults": [ "enableAutoSubDomain" ], "appId": "dwe82rhfivmh8", "domainName": "corymhall.com", "enableAutoSubDomain": false, "subDomains": [ { "__defaults": [], "branchName": "main", "prefix": "game-of-life" } ], "waitForVerification": true }, "oldInputs": { "__defaults": [ "enableAutoSubDomain" ], "appId": "dwe82rhfivmh8", "domainName": "corymhall.com", "enableAutoSubDomain": false, "subDomains": [ { "__defaults": [], "branchName": "main", "prefix": "game-of-life" } ], "waitForVerification": true } }, "response": { "stables": [ "appId", "domainName" ], "changes": "DIFF_SOME", "diffs": [ "certificateSettings" ], "detailedDiff": { "certificateSettings": { "kind": "UPDATE" }, "certificateSettings.type": { "kind": "DELETE" } }, "hasDetailedDiff": true }, "metadata": { "kind": "resource", "mode": "client", "name": "aws" } } ```