Changes in every plan/apply #27

bsramin · 2023-04-24T18:52:50Z

Hi,
I just added this simple module in my project

module "oidc-github" {
  source                  = "unfunco/oidc-github/aws"
  version                 = "1.3.1"
  attach_admin_policy     = true
  attach_read_only_policy = false
  github_repositories     = ["ORG/*"]
  iam_role_name           = "GithubAssumeRole"
}

With the name of my organization instead of ORG.

It's ok, but every time I launch plan & apply I have this:

Plan: 1 to add, 1 to change, 1 to destroy.

Terraform will perform the following actions:

  # module.github_openid_connect.module.oidc-github.data.aws_iam_policy_document.assume_role[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "assume_role" {
      + id      = (known after apply)
      + json    = (known after apply)
      + version = "2012-10-17"

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = "token.actions.githubusercontent.com:aud"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "repo:ORG/*:*",
                ]
              + variable = "token.actions.githubusercontent.com:sub"
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.github_openid_connect.module.oidc-github.aws_iam_openid_connect_provider.github[0] must be replaced
-/+ resource "aws_iam_openid_connect_provider" "github" {
      ~ arn             = "arn:aws:iam::XXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
      ~ client_id_list  = [ # forces replacement
          - "sts.amazonaws.com",
            "https://github.com/ORG",
          + "sts.amazonaws.com",
        ]
      ~ id              = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
        tags            = {
            "BuildBy"     = "ORG/Terraform"
            "Environment" = "sbx"
            "Project"     = "ORG"
        }
      ~ url             = "token.actions.githubusercontent.com" -> "https://token.actions.githubusercontent.com"
        # (2 unchanged attributes hidden)
    }

  # module.github_openid_connect.module.oidc-github.aws_iam_role.github[0] will be updated in-place
  ~ resource "aws_iam_role" "github" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRoleWithWebIdentity"
                      - Condition = {
                          - StringEquals = {
                              - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                            }
                          - StringLike   = {
                              - "token.actions.githubusercontent.com:sub" = "repo:ORG/*:*"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Federated = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "GithubAssumeRole"
        name                  = "GithubAssumeRole"
        tags                  = {
            "BuildBy"     = "ORG/Terraform"
            "Environment" = "sbx"
            "Project"     = "ORG"
        }
        # (9 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Why? Where do you think I'm wrong?
Thanks

The text was updated successfully, but these errors were encountered:

unfunco · 2023-04-27T10:37:01Z

Hello @bsramin, from the plan it looks as if the changes are caused by the client_id_list property in the aws_iam_openid_connect_provider resource being reordered, I've tried replicating the issue, including using the asterisk for all repositories, but my plan/apply says:

No changes. Your infrastructure matches the configuration.

I'll continue to try and replicate unless you've already resolved the issue.

bsramin · 2023-04-27T10:41:16Z

reorders them alphabetically?

bsramin · 2023-04-27T10:46:23Z

I'm doing several tests, including destroying and recreating the state, but it remains

unfunco · 2023-04-27T12:27:20Z

I think it's related to this: hashicorp/terraform-provider-aws#29868

unfunco · 2023-05-15T16:47:48Z

This can be resolved by upgrading the provider version to 4.67.0+.

bsramin · 2023-05-16T08:34:57Z

fixed, yes.
Thanks

unfunco added the bug 🐛 Something isn't working. label Apr 27, 2023

Antvirf mentioned this issue May 8, 2023

fix: Ignore order of client IDs in iam_openid_connect_provider hashicorp/terraform-provider-aws#31253

Merged

unfunco closed this as completed May 15, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Changes in every plan/apply #27

Changes in every plan/apply #27

bsramin commented Apr 24, 2023

unfunco commented Apr 27, 2023

bsramin commented Apr 27, 2023

bsramin commented Apr 27, 2023

unfunco commented Apr 27, 2023

unfunco commented May 15, 2023

bsramin commented May 16, 2023

Changes in every plan/apply #27

Changes in every plan/apply #27

Comments

bsramin commented Apr 24, 2023

unfunco commented Apr 27, 2023

bsramin commented Apr 27, 2023

bsramin commented Apr 27, 2023

unfunco commented Apr 27, 2023

unfunco commented May 15, 2023

bsramin commented May 16, 2023