Breaking change in "aws_ram_resource_share" introduced in 4.17.0

[mkielar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

→ terraform -v
Terraform v1.1.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.17.0

Affected Resource(s)

• aws_ram_resource_share

Terraform Configuration Files

resource "aws_ram_resource_share" "tgw_eu_west_1" {
  name                      = local.transit_gateway_share_eu_west_1
  allow_external_principals = true
}

Debug Output

  # module.network_account_baseline.aws_ram_resource_share.tgw_eu_west_1 must be replaced
-/+ resource "aws_ram_resource_share" "tgw_eu_west_1" {
      ~ arn                       = "arn:aws:ram:eu-west-1:587499608690:resource-share/3d75100c-847f-4e2f-86d5-deb63cec3d2f" -> (known after apply)
      ~ id                        = "arn:aws:ram:eu-west-1:587499608690:resource-share/3d75100c-847f-4e2f-86d5-deb63cec3d2f" -> (known after apply)
        name                      = "network-nonprod-tgw-eu-west-1"
      - permission_arns           = [
          - "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway",
        ] -> null # forces replacement
      - tags                      = {} -> null
        # (2 unchanged attributes hidden)
    }

Panic Output

N/A

Expected Behavior

After introducing permission_arns attribute to aws_ram_resource_share, but still documenting it as "Optional" in the Docs, I would expect it will not attempt to clean the permission_arns that are set up by AWS by default, and specifically, I'd not expect the resource to be replaced. This broke a lot of things:

Actual Behavior

It replaced RAM Shares (in our case for Transit Gateway).
The problem is that new RAM Shares have the same name and tags as the old RAM Shared (and because of it they'are indistinguishable to the aws_ram_resource_share datasource (because the datasource does not allow filtering by status attribute).

Steps to Reproduce

1. Upgrade Terraform AWS Provider to 4.17.0
2. Run terraform apply

[mkielar]

Two more things:

1. I requested the possibility to filter by status in aws_ram_resource_share datasource: Allow "status" filtering in "aws_ram_resource_share" datasource. #25157, because we now have two identical RAM Shared (one deleted and one active) and the datasource is not capable of picking just the active one.
2. How in the world did this change not make it to the Release Notes?*

[github-actions]

This functionality has been released in v4.17.1 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.