[Bug]: plan generation always causes aws_vpclattice_access_log_subscription replacement

[nicoaws]

Terraform Core Version

1.4.5

AWS Provider Version

5.0.0

Affected Resource(s)

aws_vpclattice_access_log_subscription

Expected Behavior

if neither attributes change, no resource update is necessary

Actual Behavior

every time a plan is generated, the resource is replaced

Relevant Error/Panic Output Snippet

# aws_vpclattice_access_log_subscription.lattice_network_logging must be replaced
-/+ resource "aws_vpclattice_access_log_subscription" "lattice_network_logging" {
      ~ arn                 = "arn:aws:vpc-lattice:eu-west-1:xxxx:accesslogsubscription/als-0f588eca4cfd94727" -> (known after apply)
      ~ destination_arn     = "arn:aws:logs:eu-west-1:xxxx:log-group:/aws/vpclattice/service-network-logs:*" -> "arn:aws:logs:eu-west-1:xxxx:log-group:/aws/vpclattice/service-network-logs" # forces replacement
      ~ id                  = "als-0f588eca4cfd94727" -> (known after apply)
      ~ resource_arn        = "arn:aws:vpc-lattice:eu-west-1:xxxx:servicenetwork/sn-01ab350c3a8ae4281" -> (known after apply)
      - tags                = {} -> null
      ~ tags_all            = {} -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Terraform Configuration Files

resource "aws_vpclattice_service_network" "lattice_network" {
  name      = "lattice-service-network"
  auth_type = "NONE"
}

resource "aws_cloudwatch_log_group" "lattice_network_logs" {
  name = "/aws/vpclattice/service-network-logs"
}


resource "aws_vpclattice_access_log_subscription" "lattice_network_logging" {
  resource_identifier = aws_vpclattice_service_network.lattice_network.id
  destination_arn     = aws_cloudwatch_log_group.lattice_network_logs.arn
}

Steps to Reproduce

terraform apply --auto-approve

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ShathishWarmaS]

Verify attribute changes: Double-check that none of the attributes for the aws_vpclattice_access_log_subscription resource have been modified. Ensure that the destination_arn and other relevant attributes remain the same.

Examine the log group and access log subscription: Check the AWS Management Console or use the AWS CLI to inspect the existing CloudWatch Log Group and the access log subscription associated with the VPC Lattice service network. Confirm that the log group and access log subscription are correctly set up and have the expected configurations.

Review dependencies: Check if there are any dependencies or relationships between the aws_vpclattice_access_log_subscription resource and other resources in your Terraform configuration. If any of these dependencies change or require replacement, it could impact the access log subscription.

Check for hidden changes: Ensure that there are no changes in the provider or any plugins being used by Terraform. It's possible that there might be a bug or unintended behavior in the provider that causes the resource replacement. Consider updating to the latest version of the provider to ensure you have the most recent bug fixes.

Verify Terraform state: Validate the integrity of your Terraform state file (terraform.tfstate) or remote state backend. There could be inconsistencies or incorrect information in the state that leads Terraform to believe the resource needs replacement. If necessary, you can use terraform state commands to inspect and manage the state directly.

[justinretzolk]

Hey @nicoaws 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?

[nicoaws]

Please find the debug logs attached.
debug.log

[exoego]

 ~ destination_arn     = "arn:aws:logs:eu-west-1:xxxx:log-group:/aws/vpclattice/service-network-logs:*" -> "arn:aws:logs:eu-west-1:xxxx:log-group:/aws/vpclattice/service-network-logs" # forces replacement

If I added :* at the taile of destination_arn, force-replacement did not happen on my end.

resource "aws_vpclattice_access_log_subscription" "lattice_network_logging" {
  resource_identifier = aws_vpclattice_service_network.lattice_network.id
  destination_arn     = "${aws_cloudwatch_log_group.lattice_network_logs.arn}:*"
}

Wildcard suffix in arn of aws_cloudwatch_log_group are trimmed.
#14410

terraform-provider-aws/internal/service/logs/group.go

Line 132 in 8aea8f1

d.Set("arn", TrimLogGroupARNWildcardSuffix(aws.StringValue(lg.Arn)))

[exoego]

Opened #32186

[github-actions]

This functionality has been released in v5.10.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.