iam-assumable-role assume_role_policy showing changes without actual changes

davekonopka commented 2 months ago

Description

We're running into an issue with the iam-assumable-role submodule showing changes for aws_iam_role resource assume_role_policy field when no changes exist. This seems to trigger multiple data resource reads too creating a lot of plan noise.

One thing I noticed is that the list of Principals is reversed between the data aws_iam_policy_document and the resource "aws_iam_role" field. Could this be the issue?

[x] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version 5.44.0
Terraform version: v1.9.5
Provider version(s):
provider registry.terraform.io/hashicorp/aws v5.64.0
provider registry.terraform.io/hashicorp/cloudinit v2.3.4
provider registry.terraform.io/hashicorp/external v2.3.3
provider registry.terraform.io/hashicorp/helm v2.14.0
provider registry.terraform.io/hashicorp/null v3.2.2
provider registry.terraform.io/hashicorp/time v0.12.0
provider registry.terraform.io/hashicorp/tls v4.0.5

Reproduction Code [Required]

Steps to reproduce the behavior:

No. Yes.

module "iam_assumable_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "5.44.0"

  trusted_role_arns = [
        "arn:aws:iam::${var.account_ids.account_one}:root",
        "arn:aws:iam::${var.account_id}:role/{{REDACTED}}",
        "arn:aws:iam::{{REDACTED}}:role/{{REDACTED}}"
      ]

  create_role = true

  role_path         = "/internal/team"
  role_name         = "platform"
  role_requires_mfa = false

  custom_role_policy_arns           = [
        "arn:aws:iam::aws:policy/AdministratorAccess"
      ]
  number_of_custom_role_policy_arns = 1
}

Expected behavior

No changes show for a plan when no changes exist.

Actual behavior

Changes show for assume_role_policy on the role and multiple data resources load but no real changes exists.

Terminal Output Screenshot(s)

Additional context

Example plan output

We use this module within one of our own modules. That's why the resources show an extra layer. My example removes this layer and still has the issue.

  # module.team_roles["platform"].module.iam_assumable_role.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.team_roles["platform"].module.iam_assumable_role.data.aws_iam_policy_document.assume_role[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
              + "sts:TagSession",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::{{REDACTED}}:role/{{REDACTED}}",
                  + "arn:aws:iam::{{REDACTED}}:role/{{REDACTED}}",
                  + "arn:aws:iam::{{REDACTED}}:root",
                ]
              + type        = "AWS"
            }
          + principals {
              + identifiers = []
              + type        = "Service"
            }
        }
    }

  # module.team_roles["platform"].module.iam_assumable_role.data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.team_roles["platform"].module.iam_assumable_role.aws_iam_role.this[0] will be updated in-place
  ~ resource "aws_iam_role" "this" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = [
                          - "sts:TagSession",
                          - "sts:AssumeRole",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS     = [
                              - "arn:aws:iam::{{REDACTED}}:root",
                              - "arn:aws:iam::{{REDACTED}}:role/{{REDACTED}},
                              - "arn:aws:iam::{{REDACTED}}:role/{{REDACTED}},
                            ]
                          - Service = []
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "platform"
        name                  = "platform"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

davekonopka commented 2 months ago

It seems like this issue may be pointing to the same problem: #495

albernhagen commented 1 month ago

I'm also encountering this same issue.

github-actions[bot] commented 6 days ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

terraform-aws-modules / terraform-aws-iam