DXE-3614 Changing granted_roles in an IAM role generates a much larger diff than needed
landrew57 opened this issue · comments
Terraform Version
1.7.3
Affected Resource(s)
akamai_iam_role
Terraform Configuration Files
locals {
# Copy of Viewer Plus API has been duplicated by Akamai for some reason
# We don't seem to use this so we'll ignore this grantable role for now
role_name_to_id = { for role in data.akamai_iam_grantable_roles.this.grantable_roles : role.name => role.granted_role_id if role.name != "Copy of Viewer Plus API" }
granted_roles = [
"API Gateway Viewer",
"API Prioritization Cloudlet Viewer",
"Access Account IP ACL - View ONLY",
"Adaptive Acceleration - View only",
"Fast DNS - View only",
"Firewall Rules Notification - View",
"Forward Rewrite Cloudlet Viewer",
"FrontEndOptimization - View Only",
"IDM: API Clients - User Access"
]
}
resource "akamai_iam_role" "this" {
name = "test-role"
description = "Testing some things out on terraform"
granted_roles = [for role in local.granted_roles : local.role_name_to_id[role]]
type = "custom"
}
data "akamai_iam_grantable_roles" "this" {}
terraform {
required_providers {
akamai = {
source = "akamai/akamai"
version = "5.5.0"
}
}
}
output "roles" {
description = "test"
value = [for role in data.akamai_iam_grantable_roles.this.grantable_roles : role.name if contains(akamai_iam_role.this.granted_roles, role.granted_role_id)]
}
provider "akamai" {
# Configuration options
}
Debug Output
https://gist.github.com/landrew57/081c6c5113e7ff74463566f1f030cb6b
Expected Behavior
Changing one entry in the list of granted_roles
should generate just one change in the terraform plan
output.
Actual Behavior
Lots of changes are shown:
# akamai_iam_role.this will be updated in-place
~ resource "akamai_iam_role" "this" {
~ granted_roles = [
- 81601,
- 83891,
- 95380,
109223,
- 75563,
88029,
- 96541,
- 86527,
+ 83891,
+ 95380,
+ 81601,
1231,
+ 86527,
+ 75563,
+ 96535,
]
id = "135091"
name = "test-role"
# (2 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Changes to Outputs:
~ roles = [
# (7 unchanged elements hidden)
"FrontEndOptimization - View Only",
- "IDM: API Clients - User Access",
+ "IDM: API Clients - Admin Access",
]
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
- change the 'IDM: API Clients - User Access' to 'IDM: API Clients - Admin Access'
terraform plan
Important Factoids
N/A
References
- It seems like the
granted_roles
was changed fromTypeSet
toTypeList
in cf6606c. TheDiffSuppressFunc
that was added is not behaving as I would expect in this case
Thank you for raising this issue. We are investigating a potential solution.
Regards,
Marcin
@mstojanowski do you know if there has been any progress made on the potential solution?
Hi @landrew57 , thiss issue should be fixed in recent release.