Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TF Plan Reports Changes in Error, TF Apply Ignores Them #29762

Closed
jbremson opened this issue Oct 14, 2021 · 2 comments
Closed

TF Plan Reports Changes in Error, TF Apply Ignores Them #29762

jbremson opened this issue Oct 14, 2021 · 2 comments
Labels
bug new new issue not yet triaged

Comments

@jbremson
Copy link

We are seeing behavior where the tf plan reports changes that are not in the HCL.
However the tf apply correctly ignores those changes.

Is there anyway to silence or eliminate the warnings?

Terraform Version

Terraform v1.0.9
on linux_amd64
+ provider registry.terraform.io/cloudposse/awsutils v0.8.0
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v3.62.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0

Terraform Configuration Files

The relevant output from plan is:


Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # module.cluster.aws_iam_role.my-cluster has been changed
  ~ resource "aws_iam_role" "my-cluster" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Service = [
                              - "eks.amazonaws.com",
                                "ec2.amazonaws.com",
                              + "eks.amazonaws.com",
                            ]
                        }
                        # (2 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                    = "my-cluster"
        name                  = "my-cluster"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

Your configuration already matches the changes detected above. If you'd like
to update the Terraform state to match, create and apply a refresh-only plan:
  terraform apply -refresh-only
Releasing state lock. This may take a few moments...

This is the relevant HCL:

resource "aws_iam_role" "my-cluster" {
  name = "my-cluster"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {     
        "Service": [
          "ec2.amazonaws.com",
          "eks.amazonaws.com"
         ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

Apply Output

Output from tf apply shows the changes referenced in the tf plan were ignored.

Acquiring state lock. This may take a few moments...
Releasing state lock. This may take a few moments...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Attempted Fixes

We did try to alter flip the ordering of the Service list i.e.

          "ec2.amazonaws.com",
          "eks.amazonaws.com"
         ]
->
        "Service": [
          "eks.amazonaws.com",
          "ec2.amazonaws.com"
         ]

to see if the equality operator distinguished between differently ordered lists of the same items.
It made no difference.
@jbremson jbremson added bug new new issue not yet triaged labels Oct 14, 2021
@jbardin
Copy link
Member

jbardin commented Oct 15, 2021

Hi @jbremson,

The changes shown by terraform are exactly those reported by the provider. This is to inform users when unexpected changes happen outside terraform, but unfortunately many resources are not stable in various ways. The fact that no changes are planned means that the provider is normalizing the differences during the plan, and showing there is actually no need to take any action.

As you can see, the behavior here is all up to the provider, so any improvements in this area would need to be done by the provider itself. The relevant change to Terraform would be to provide a way to suppress the drift output, which you can follow in #28803.

Thanks!

@jbardin jbardin closed this as completed Oct 15, 2021
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbardin @jbremson