module.aft_lambda_layer.aws_iam_role.codebuild causes drift

[mathewmoon]

It looks like the assume_role_policy having the service principals not in alphabetical order causes drift. I believe that changing the order would fix this.

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.aft.module.aft_lambda_layer.aws_iam_role.codebuild has been changed
  ~ resource "aws_iam_role" "codebuild" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Service = [
                              - "events.amazonaws.com",
                                "codebuild.amazonaws.com",
                              + "events.amazonaws.com",
                            ]
                        }
                        # (2 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                    = "python-layer-builder-aft-common-4vpk5j6o"
        name                  = "python-layer-builder-aft-common-4vpk5j6o"
        tags                  = {}
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

[balltrev]

Looking at the template for the trust policy on that codebuild resource, I do not see that it has ever been in the order you're seeing. Was there a chance the policy was modified out of band?

[mathewmoon]

No. It has only been touched by the TF module. Looking at the template they are in order. It appears for some reason that it gets saved to state differently.

[mathewmoon]

Looks like an issue with AWS not guaranteeing order in its API and not consistently sorting the data in the provider.

hashicorp/terraform-provider-aws#11801

hashicorp/terraform-provider-aws#22274

Nothing we can do in the module to fix this.

[balltrev]

Ah, I see. Thanks for diving into this.