aws_iam_policy_document with multiple principals in a dynamic block

[CyrilDevOps]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v1.1.3
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v3.71.0

Affected Resource(s)

• data aws_iam_policy_document

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

monikers = ["aaa","bbb"]

data "aws_iam_policy_document" "assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]


    dynamic "principals" {
      for_each = var.monikers
      content {
        type        = "AWS"
        identifiers = ["arn:aws:iam::12345:role/role_${lower(principals.value)}"]
      }
    }
  }
}

Debug Output

Panic Output

Expected Behavior

I was expecting terraform plan to return no change.
(I was just refreshing some other stuff, the previous plan/apply was with terraform 0.14.11,
I updated to the latest version of terraform at the same time)

I replaced the dynamic block by :
principals {
type = "AWS"
identifiers = [for k in var.monikers : "arn:aws:iam::12345:role/role_${lower(k)}"]
}
It the plan didn't return any change anymore.

Actual Behavior

  ~ resource "aws_iam_role" "xxx" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:iam::12345:role/role_bbb",
                                "arn:aws:iam::12345:role/role_aaa",
                              + "arn:aws:iam::12345:role/role_bbb",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
...

Steps to Reproduce

Just terraform plan return always the same change in the list order in my role.

Important Factoids

References

• #0000

[CyrilDevOps]

Sorry, had to dig deeper on it as the error is poping again.
it seems the 'problem' is coming from AWS, doing a basic aws get-role --role-name myrole multiple time.
The order of both principals in the AssumeRolePolicyDocument of the role isn't stable,
most of the time its [ ...bbb,...aaa], but every few request aws return [...aaa,...bbb]

I think the provider should sort the list received from AWS and the list it make from the tf files
to compare if there are differences or not.

[CyrilDevOps]

Very similar to boto/boto3#1178 in boto3

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.