Perpetual diff when using an aws_ecs_service ARN in an IAM policy

[jrobison-sb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform --version
Terraform v0.12.28
+ provider.aws v3.3.0

Affected Resource(s)

• data.aws_iam_policy_document
• aws_iam_policy
• aws_ecs_service

Terraform Configuration Files

data "aws_iam_policy_document" "mypolicy" {
  statement {
    sid     = "AllowEcsUpdateService"
    effect  = "Allow"
    actions = ["ecs:UpdateService"]
    resources = [aws_ecs_service.myservice.id]
  }
}

resource "aws_iam_policy" "mypolicy" {
  name   = "mypolicy"
  policy = data.aws_iam_policy_document.mypolicy.json
}

Expected Behavior

The expected IAM policy should be created via terraform apply, and then afterwards it shouldn't show any diffs in subsequent a terraform plan.

Actual Behavior

The expected IAM policy is created. But subsequent terraform plan's show a diff saying that the policy is going to be changed. Then a subsequent terraform apply will say that it has applied the change, but no actual changes happened and no new policy version was created. Then rinse/repeat with plan/apply over and over and the diff will continue to say the policy will change.

Steps to Reproduce

1. Use the HCL code pasted above.
2. Run an apply and see that the expected IAM policy is created.
3. Run a plan and see that the expected policy shows up in the diff saying that it will change.
4. Run an apply again
5. Look at the IAM policy versions in the AWS console and see that step 4 didn't change anything.
6. Every subsequent plan/apply will loop through these steps over and over starting from step 3.

If you set resources = ["*"] the perpetual diff will stop, but it would be nicer to not need to do that.

[jurgenweber]

same problem? https://discuss.hashicorp.com/t/data-aws-iam-policy-document-and-for-each-showing-changes-on-every-plan-and-nothing-on-apply/14606

[jurgenweber]

this now seems to be resolved in 0.13.4... maybe this? hashicorp/terraform#26375

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.