[Bug]: Plan always tries to add AWS tags

[tubular400]

Terraform Core Version

1.2.8

AWS Provider Version

4.59.0

Affected Resource(s)

aws_sns_topic

Expected Behavior

Terraform should have said there were no changes.

Actual Behavior

Terraform presented a plan to add a new AWS tag to the aws_sns_topic resource. The tag's name was Environment and its value was "dev".

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

I've put a gist here. You can use it as follows:

wget https://gist.githubusercontent.com/tubular400/d2498b372f0eb38290142635acaaf896/raw/b4bc7b7797dc36650054db6f38e77ffdb83b7bc4/modules.tar.gz.uu
uudecode modules.tar.gz.uu

Steps to Reproduce

1

Expand the file module-plus.tar.gz which you obtained from the gist above. This will create a new directory called modules-plus.

2

Change to the modules-plus directory.

3

Give the following command:

terraform init

4

Give the following command:

terraform apply -no-color -var endpoint_email_address=example@example.com

Terraform will present a plan to create an SNS topic and an SNS subscription.

I've used example@example.com in testing, but feel free to use another address. Note that AWS will try to send a confirmation email to the address.

5

Accept Terraform's plan.

6

Wait until Terraform has carried out its plan.

7

Verify that the new SNS topic has a tag named Environment with the value "dev".

8

Repeat the command from step 4.

Terraform will then present a plan that looks like this:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.sns-topic.aws_sns_topic.this[0] will be updated in-place
  ~ resource "aws_sns_topic" "this" {
        id                                       = "arn:aws:sns:us-west-2:888888888888:testorg-dev-default-system-operations"
        name                                     = "testorg-dev-default-system-operations"
      ~ tags                                     = {
          + "Environment" = "dev"
            # (2 unchanged elements hidden)
        }
        # (14 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

This is wrong because you have already established (in the previous step) that the topic has the Environment tag.

However many times you run the command from step 4 and accept Terraform's plan, the next run of the command will ask you if you want to add the tag.

Debug Output

I made a debug log, but upon examining it, I became concerned that I might miss a sensitive item while redacting.

If you would really like a debug log, let me know and I'll consider posting one.

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[andreineculau]

I experience the same, and it's not SNS specific. aws_ssm_parameter aws_s3_bucket aws_dynamodb_table aws_iam_user etc

[HorizonNet]

Same here on aws_iam_user. It does not happen for every user, but for the one's who apply the same tag key-value pair as defined in the default_tags in the provider configuration. An example:

provider configuration

provider "aws" {
  region = "eu-central-1"

  default_tags {
    tags = {
      "custom:CostCenter" = "department-a"
    }
  }
}

user definition

resource "aws_iam_user" "users" {
  name          = "user1"
  force_destroy = var.force_destroy

  tags = {
    "custom:User"       = "user1@test.com"
    "custom:CostCenter" = "department-a"
  }
}

For users who define the custom:CostCenter tag different than "department-a" no changes are shown when creating the plan, only for the one's with the same value as in default_tags.

[devopsrick]

This is this bug: #18311

[HorizonNet]

I saw this one before, but it did not completely match what I'm seeing (and what I think is the point of the initial description above). But I saw a comment in this issue that actually describes the behavior of the exact match. My expectation would be that default_tags of the provider and the tags on a resource are getting merged. Otherwise using default_tags becomes kind of pointless when relying on resource tagging heavily.

[drorle]

This happened to me with aws_ec2_transit_gateway_vpc_attachment

[shadeven]

Hello. Just wondering any update on this issue? Thanks.

[jslovato]

terraform version: 1.7.5
AWS provider version: 5.48.0

This happens to us with certain s3 objects, python scripts, glue job resources.