[BUG] awscc_datazone_environment_profile and awscc_datazone_project resource failing to update "name"

[nsb413]

Terraform CLI and Terraform AWS Cloud Control Provider Version

terraform -v
Terraform v1.8.1
on windows_386

Affected Resource(s)

awscc = {
      source  = "hashicorp/awscc"
      version = "~> 1.0"
    }

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_datazone_project" "this" {
  domain_identifier = try(var.datazone_domain_id, null)
  name              = "${var.name}"
  lifecycle {
    ignore_changes = [glossary_terms]
  }
}

Debug Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # awscc_datazone_environment_profile.admin_project_datalake will be updated in-place
  ~ resource "awscc_datazone_environment_profile" "datalake" {
      + description                      = (known after apply)
        id                               = "xxxxxx"
      ~ name                             = "abc-data-lake-profile" -> "xyz-data-lake-profile"
        # (13 unchanged attributes hidden)
    }

  # awscc_datazone_project.business-catalog-project will be updated in-place
  ~ resource "awscc_datazone_project" "project" {
      + description       = (known after apply)
      + glossary_terms    = (known after apply)
        id                = "xxxxxx"
      ~ name              = "abc-project" -> "xyz-project"
        # (6 unchanged attributes hidden)
    }

Panic Output

Error: AWS SDK Go Service Operation Unsuccessful
│
│   with awscc_datazone_environment_profile.datalake,
│   on main.tf line 15, in resource "awscc_datazone_environment_profile" "datalake":
│   15: resource "awscc_datazone_environment_profile" "datalake" {
│
│ Calling Cloud Control API service UpdateResource operation returned:
│ operation error CloudControl: UpdateResource, https response error
│ StatusCode: 400, RequestID: 81e02a67-8da2-4b7e-98db-ca43be7b7933,
│ NotUpdatableException: Invalid patch update: createOnlyProperties
│ [/properties/DomainIdentifier, /properties/EnvironmentBlueprintIdentifier,
│ /properties/ProjectIdentifier] cannot be updated
╵
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│
│   with awscc_datazone_project.project,
│   on main.tf line 24, in resource "awscc_datazone_project" "project":
│   24: resource "awscc_datazone_project" "project" {
│
│ Calling Cloud Control API service UpdateResource operation returned:
│ operation error CloudControl: UpdateResource, https response error
│ StatusCode: 400, RequestID: 1734debd-f439-4c49-8f9b-76d3cf8a04b7,
│ NotUpdatableException: Invalid patch update: createOnlyProperties
│ [/properties/DomainIdentifier] cannot be updated

[nsb413]

Cloud Trail error

"errorCode": "NotUpdatableException",
    "errorMessage": "Invalid patch update: createOnlyProperties [/properties/DomainIdentifier] cannot be updated",
    "requestParameters": {
        "typeName": "AWS::DataZone::Project",
        "clientToken": "terraform-xxxxx",
        "identifier": "dzd_xxx|xxx",
        "patchDocument": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },

"errorCode": "NotUpdatableException",
    "errorMessage": "Invalid patch update: createOnlyProperties [/properties/DomainIdentifier, /properties/EnvironmentBlueprintIdentifier, /properties/ProjectIdentifier] cannot be updated",
    "requestParameters": {
        "typeName": "AWS::DataZone::EnvironmentProfile",
        "clientToken": "terraform-xxx",
        "identifier": "dzd_xxx|xxx",
        "patchDocument": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },

[quixoticmonk]

Thank you for opening the issue @nsb413 . This is reproducible across the inputs for the datazone_project if you add a new input into the existing project like description. The patch submitted seems to be have an add on DomainIdentifier which is a readonly parameter in this context.

Primary apply

resource "awscc_datazone_domain" "example" {
  name                  = "example"
  domain_execution_role = awscc_iam_role.example.arn
  description           = "Datazone domain example"


  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_iam_role" "example" {
  path = "/service-role/"
  assume_role_policy_document = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "datazone.amazonaws.com"
        },
        "Action" : [
          "sts:AssumeRole",
          "sts:TagSession"
        ],
        "Condition" : {
          "StringEquals" : {
            "aws:SourceAccount" : "############"
          },
          "ForAllValues:StringLike" : {
            "aws:TagKeys" : "datazone*"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy"]
}

resource "awscc_datazone_project" "engineering_project" {
  domain_identifier = awscc_datazone_domain.example.id
  name              = "example"
  description       = "test"
}

Update to description

resource "awscc_datazone_domain" "example" {
  name                  = "example"
  domain_execution_role = awscc_iam_role.example.arn
  description           = "Datazone domain example"


  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_iam_role" "example" {
  path = "/service-role/"
  assume_role_policy_document = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "datazone.amazonaws.com"
        },
        "Action" : [
          "sts:AssumeRole",
          "sts:TagSession"
        ],
        "Condition" : {
          "StringEquals" : {
            "aws:SourceAccount" : "############"
          },
          "ForAllValues:StringLike" : {
            "aws:TagKeys" : "datazone*"
          }
        }
      }
    ]
  })
  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy"]
}

resource "awscc_datazone_project" "engineering_project" {
  domain_identifier = awscc_datazone_domain.example.id
  name              = "example"
  description       = "test2"
}

2024-06-18T18:43:36.400-0400 [DEBUG] provider.terraform-provider-awscc_v1.2.0_x5: 
Cloud Control API PatchDocument:
 tf_resource_type=awscc_datazone_project tf_rpc=ApplyResourceChange value=
"[{\"op\":\"replace\",\"path\":\"/Description\",\"value\":\"test2\"},
{\"op\":\"add\",\"path\":\"/DomainIdentifier\",\"value\":\"dzd_agj6le0jcahgdj\"}]"
 tf_req_id=e53f4089-087c-ad1e-97c6-1522089294ca 
cfn_type=AWS::DataZone::Project 
tf_provider_addr=registry.terraform.io/hashicorp/awscc 
@caller=github.com/hashicorp/terraform-provider-awscc/internal/generic/resource.go:583 
@module=awscc timestamp=2024-06-18T18:43:36.400-0400

[quixoticmonk]

Project

aws cloudcontrol get-resource --type-name AWS::DataZone::Project --identifier "dzd_agj6le0jcahgdj|bbb31gudr8knc7"
{
    "TypeName": "AWS::DataZone::Project",
    "ResourceDescription": {
        "Identifier": "dzd_agj6le0jcahgdj|bbb31gudr8knc7",
        "Properties": "{\"CreatedBy\":\"4314c73f-1073-4c71-8ba8-fe450cd4b91e\",\"Description\":\"test\",
\"DomainId\":\"dzd_agj6le0jcahgdj\",
\"LastUpdatedAt\":\"2024-06-18T22:42:03.297315197Z\",\"GlossaryTerms\":[],\"CreatedAt\":\"2024-06-18T22:42:03.297315197Z\",\"Id\":\"bbb31gudr8knc7\",\"Name\":\"example\"}"
    }
}

Domain

aws cloudcontrol get-resource --type-name AWS::DataZone::Domain --identifier "dzd_agj6le0jcahgdj"
{
    "TypeName": "AWS::DataZone::Domain",
    "ResourceDescription": {
        "Identifier": "dzd_agj6le0jcahgdj",
        "Properties": "{\"DomainExecutionRole\":\"arn:aws:iam::############:role/service-role/ioQ3tH2agTFXxQ0Vlb5zz4MgY-2GWpdQSr3ufi\",
\"Status\":\"AVAILABLE\",\"Description\":\"Datazone domain example\",
\"LastUpdatedAt\":\"2024-06-18T22:23:32.095Z\",
\"PortalUrl\":\"https://dzd_agj6le0jcahgdj.datazone.us-east-1.on.aws\",
\"CreatedAt\":\"2024-06-18T22:23:31.967Z\",\"Id\":\"dzd_agj6le0jcahgdj\",\"Arn\":\"arn:aws:datazone:us-east-1:############:domain/dzd_agj6le0jcahgdj\",\"ManagedAccountId\":\"\",\"Tags\":[{\"Value\":\"AWSCC\",\"Key\":\"Modified By\"}],\"Name\":\"example\",\"SingleSignOn\":{\"Type\":\"DISABLED\"}}"
    }
}

[wellsiau-aws]

interesting note, the debug log here indicates that this is a createOnlyProperties : #1804 (comment)

but the provider only marked it as writeOnlyProperties : https://github.com/hashicorp/terraform-provider-awscc/blob/main/internal/aws/datazone/project_resource_gen.go#L229-L231

for background, this PR addresses the problem when trying to update resource with writeOnlyProperties, however we don't account for situation where resource attribute are both createOnlyProperties and writeOnlyProperties. cc @ewbankkit as FYI.

that said, I would argue for this particular attribute domain_identifier, there is no reason why it should be both createOnlyProperties and writeOnlyProperties. I consider this as upstream-aws issue , cc @quixoticmonk

[quixoticmonk]

Opened an internal ticket with the service team to review the schema and property.