[Bug]: sns/topic objects have changed outside of Terraform

[YakDriver]

Terraform 1.3.7
AWS provider 4.50.0.

It seems it's still randomly happens. Not every time and seems like amount of diff decreased.

As I remember, before it was happening almost in 100% of runs and for every sns resource. Now for couple of them or so. For SNS it shows as usual changed order in policy.

Examples:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.sns.aws_sns_topic.this["topic1"] has changed
  ~ resource "aws_sns_topic" "this" {
...
      ~ policy                                   = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "SNS:GetTopicAttributes",
                          + "SNS:Subscribe",
                            "SNS:SetTopicAttributes",
                          - "SNS:AddPermission",
                            "SNS:RemovePermission",
                          - "SNS:DeleteTopic",
                          - "SNS:Subscribe",
                          - "SNS:ListSubscriptionsByTopic",
                          + "SNS:Receive",
                            "SNS:Publish",
                          + "SNS:ListSubscriptionsByTopic",
                          + "SNS:GetTopicAttributes",
                          + "SNS:DeleteTopic",
                          + "SNS:AddPermission",
                        ]
                        # (5 unchanged elements hidden)
                    },

References

• Perpetual diffs / Objects have changed outside of Terraform (v3.70.0+) #23288
• [Bug]: sqs/queue objects have changed outside of Terraform #28992
• Originally posted by @nantiferov in "Objects changed outside of Terraform" shown wrongly for various resources #19727 (comment)

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[nantiferov]

Hi @YakDriver

I managed to create test config which reproduces my issues. It's not ideal in terms of code quality, since it's based on some legacy code.

So the issue with drift reproduces in ~95% of cases and always related to previously changed state. I.e. if previous state change was to add SNS, in next plan we'll get for this SNS Objects have changed outside of Terraform related to policy. If SQS was changed, we get Objects have changed outside of Terraform for that SQS related to policy as well.

This is repository with test configuration https://github.com/nantiferov/test-sns-sqs
Its README.md describes how to reproduce issue in details.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[nantiferov]

Not stale