Kendra Index being being forced replaced without any changes to the resource definition

[acbsn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

We have integrated terraform with Gitlab, so we are using the gitlab's latest stable docker image:

registry.gitlab.com/gitlab-org/terraform-images/stable:latest

Provider:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {
}

Affected Resource(s)

• awscc_kendra_index

Terraform Configuration Files

resource "awscc_kendra_index" "example" {
  edition     = "ENTERPRISE_EDITION"
  name        = "example"
  role_arn    = awscc_iam_role.kendra_iam_role.arn
  description = "example"
}

Debug Output

Panic Output

Expected Behavior

Running terraform plan without any changes to the kendra index definition should not force replace the resource.

Actual Behavior

After deploying the kendra index, running plan again always displays:

      + server_side_encryption_configuration = (known after apply) # forces replacement

causing the index to be deleted and recreated.

I tried explicitly adding a null configuration for the kms key, but it did not work.

  server_side_encryption_configuration = {
    kms_key_id = null
  }

And I also tried adding a lifecycle policy, but it also did not work,

lifecycle {
      ignore_changes = [
        server_side_encryption_configuration
      ]
    }

Steps to Reproduce

plan:
  stage: build
  script:
    - gitlab-terraform plan
    - gitlab-terraform plan-json
  artifacts:
    name: plan
    paths:
      - ${TF_ROOT}/plan.cache
    reports:
      terraform:  ${TF_ROOT}/plan.json

apply:
  stage: deploy
  script:
    - gitlab-terraform apply
  dependencies:
    - plan
  when: manual

Important Factoids

References

This issue might be related to: #1562

[quixoticmonk]

Thank you for opening the issue @acbsn . This does look like the issue #1139 from the resource recreation reference. I will try to test these out as the original replacement issue is fixed on #1712 .

[acbsn]

thanks for the reply @quixoticmonk, I will wait until you have tested it on your side too
I have tested it on my side again by explicitly adding the awscc provider version 1.1.0 (since it seems like the fix has been released as version 0.77.0 )

   awscc = {
      source  = "hashicorp/awscc"
      version = "~> 1.1.0"
    }

But the issue is still happening for me:

So for now I will just wait and see if you are able to validate the fix since I might be doing something wrong on my side, cheers

[wellsiau-aws]

I think this is very similar to issue discussed here

[wellsiau-aws]

@acbsn , thank you for reporting this issue. At the surface, it might looked like the problem was due to server_side_encryption_configuration.

Debug log is telling interesting story, the actual attribute in question is document_metadata_configurations

2024-06-28T16:19:25.641-0700 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5: Detected value change between proposed new state and prior state: tf_attribute_path=document_metadata_configurations tf_resource_type=awscc_kendra_index @caller=github.com/hashicorp/[email protected]/internal/fwserver/server_planresourcechange.go:208 tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=53bfe62c-85b6-711c-0b02-0c0640c47c83 tf_rpc=PlanResourceChange @module=sdk.framework timestamp=2024-06-28T16:19:25.641-0700

[wellsiau-aws]

relates to #1216