Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Perpetual diff for aws_ssoadmin_permission_set_inline_policy inline_policy #28834

Open
YakDriver opened this issue Jan 11, 2023 · 2 comments
Open

[Bug]: Perpetual diff for aws_ssoadmin_permission_set_inline_policy inline_policy #28834

YakDriver opened this issue Jan 11, 2023 · 2 comments
Labels
bug Addresses a defect in current functionality. service/ssoadmin Issues and PRs that pertain to the ssoadmin service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@YakDriver
Copy link
Member

YakDriver commented Jan 11, 2023
edited
Loading

Originally submitted as a comment on #23288 (comment) by @ad-m-ss.

Terraform Core Version

1.1.7

AWS Provider Version

4.7.0

Affected Resource(s)

  • aws_ssoadmin_permission_set_inline_policy

Expected Behavior

Create and refresh without changes / updates

Actual Behavior

Objects have changed outside of Terraform

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

 resource "aws_ssoadmin_permission_set_inline_policy" "developer" {
   id                 = "arn:aws:sso:::permissionSet/ssoins-6684bd07964ad0f4/ps-f7fa08c3ff7c1943,arn:aws:sso:::instance/ssoins-6684bd07964ad0f4"
   inline_policy      = jsonencode({
   Statement = [{
     Action   = [
     "logs:StartQuery",
     "logs:FilterLogEvents",
     ]
     Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
   },
   {
     Action   = [
       "sns:List*",
       "sns:Get*",
     ]
     Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
   },
   {
      Action   = [
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "cloudwatch:Describe*",
       ]
       Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
    },
    {
      Action   = "autoscaling:Describe*"
      Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
    },
    {
       Action   = [
          "logs:TestMetricFilter",
          "logs:StopQuery",
          "logs:List*",
          "logs:Get*",
          "logs:Describe*",
        ]
         Effect   = "Allow"
         Resource = "arn:aws:logs:us-east-2:672751098944:log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
          Sid      = ""
     },
     {
         Action   = "logs:GetQueryResults"
         Effect   = "Allow"
         Resource = "arn:aws:logs:*:*:log-group::log-stream:"
         Sid      = ""
      },
   ] })
 }

Steps to Reproduce

  1. terraform apply
  2. terraform apply

Debug Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ssoadmin_permission_set_inline_policy.developer["1"] will be updated in-place
  ~ resource "aws_ssoadmin_permission_set_inline_policy" "developer" {
        id                 = "arn:aws:sso:::permissionSet/ssoins-6684bd07964ad0f4/ps-f7fa08c3ff7c1943,arn:aws:sso:::instance/ssoins-6684bd07964ad0f4"
      ~ inline_policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                          - "logs:StartQuery",
                          - "logs:FilterLogEvents",
                          + "redshift:ViewQueriesFromConsole",
                          + "redshift:ListTables",
                          + "redshift:ListSchemas",
                          + "redshift:ListDatabases",
                          + "redshift:GetClusterCredentials",
                          + "redshift:FetchResults",
                          + "redshift:ExecuteQuery",
                          + "redshift:DescribeTable",
                          + "redshift:DescribeQuery",
                          + "redshift:DescribeClusters",
                          + "redshift:CancelQuery",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = [
                          - "sns:List*",
                          - "sns:Get*",
                          + "redshift-data:ListTables",
                          + "redshift-data:ListSchemas",
                          + "redshift-data:ListDatabases",
                          + "redshift-data:ExecuteStatement",
                          + "redshift-data:DescribeTable",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = [
                          - "cloudwatch:List*",
                          - "cloudwatch:Get*",
                          - "cloudwatch:Describe*",
                          + "redshift-data:ListStatements",
                          + "redshift-data:GetStatementResult",
                          + "redshift-data:DescribeStatement",
                          + "redshift-data:CancelStatement",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> "*"
                        # (2 unchanged elements hidden)
                    },
                  ~ {
                      ~ Action   = "autoscaling:Describe*" -> [
                          + "s3:ListMultipartUploadParts",
                          + "s3:ListBucketVersions",
                          + "s3:ListBucketMultipartUploads",
                          + "s3:ListBucket",
                          + "s3:GetReplicationConfiguration",
                          + "s3:GetObjectVersionTorrent",
                          + "s3:GetObjectVersionTagging",
                          + "s3:GetObjectVersionForReplication",
                          + "s3:GetObjectVersionAcl",
                          + "s3:GetObjectVersion",
                          + "s3:GetObjectTorrent",
                          + "s3:GetObjectTagging",
                          + "s3:GetObjectRetention",
                          + "s3:GetObjectLegalHold",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                          + "s3:GetMetricsConfiguration",
                          + "s3:GetLifecycleConfiguration",
                          + "s3:GetJobTagging",
                          + "s3:GetInventoryConfiguration",
                          + "s3:GetEncryptionConfiguration",
                          + "s3:GetBucketWebsite",
                          + "s3:GetBucketVersioning",
                          + "s3:GetBucketTagging",
                          + "s3:GetBucketRequestPayment",
                          + "s3:GetBucketPublicAccessBlock",
                          + "s3:GetBucketPolicyStatus",
                          + "s3:GetBucketPolicy",
                          + "s3:GetBucketOwnershipControls",
                          + "s3:GetBucketObjectLockConfiguration",
                          + "s3:GetBucketNotification",
                          + "s3:GetBucketLogging",
                          + "s3:GetBucketLocation",
                          + "s3:GetBucketCORS",
                          + "s3:GetBucketAcl",
                          + "s3:GetAnalyticsConfiguration",
                          + "s3:GetAccessPointPolicyStatus",
                          + "s3:GetAccessPointPolicy",
                          + "s3:GetAccelerateConfiguration",
                          + "s3:DescribeJob",
                        ]
                      ~ Resource = "arn:aws:logs:us-east-2::log-group:/aws/rds/instance/postgres-test-data/postgresql:*" -> [
                          + "arn:aws:s3:::select-star-audit-log-test/*",
                          + "arn:aws:s3:::select-star-audit-log-test",
                        ]
                        # (2 unchanged elements hidden)
                    },
                  - {
                      - Action   = [
                          - "logs:TestMetricFilter",
                          - "logs:StopQuery",
                          - "logs:List*",
                          - "logs:Get*",
                          - "logs:Describe*",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:us-east-2:672751098944:log-group:/aws/rds/instance/postgres-test-data/postgresql:*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = "logs:GetQueryResults"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:*:*:log-group::log-stream:"
                      - Sid      = ""
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

No response

Important Factoids

No response

References

Would you like to implement a fix?

None
@YakDriver YakDriver added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Jan 11, 2023
@github-actions github-actions bot added service/ssoadmin Issues and PRs that pertain to the ssoadmin service. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 11, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@YakDriver YakDriver mentioned this issue Jan 11, 2023
Closed
@josephcopenhaver josephcopenhaver mentioned this issue Dec 2, 2023
Open
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2025

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ssoadmin Issues and PRs that pertain to the ssoadmin service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@YakDriver