DXE-3614 Changing granted_roles in an IAM role generates a much larger diff than needed

[landrew57]

Terraform Version

1.7.3

Affected Resource(s)

• akamai_iam_role

Terraform Configuration Files

locals {
  # Copy of Viewer Plus API has been duplicated by Akamai for some reason
  # We don't seem to use this so we'll ignore this grantable role for now
  role_name_to_id = { for role in data.akamai_iam_grantable_roles.this.grantable_roles : role.name => role.granted_role_id if role.name != "Copy of Viewer Plus API" }
  granted_roles = [
   "API Gateway Viewer",
   "API Prioritization Cloudlet Viewer",
   "Access Account IP ACL - View ONLY",
   "Adaptive Acceleration - View only",
   "Fast DNS - View only",
   "Firewall Rules Notification - View",
   "Forward Rewrite Cloudlet Viewer",
   "FrontEndOptimization - View Only",
   "IDM: API Clients - User Access"
 ]
 
}

resource "akamai_iam_role" "this" {
  name          = "test-role"
  description   = "Testing some things out on terraform"
  granted_roles = [for role in local.granted_roles : local.role_name_to_id[role]]
  type          = "custom"
}

data "akamai_iam_grantable_roles" "this" {}

terraform {
  required_providers {
    akamai = {
      source  = "akamai/akamai"
      version = "5.5.0"
    }
  }
}

output "roles" {
  description = "test"
  value = [for role in data.akamai_iam_grantable_roles.this.grantable_roles : role.name if contains(akamai_iam_role.this.granted_roles, role.granted_role_id)]
}

provider "akamai" {
  # Configuration options
}

Debug Output

https://gist.github.com/landrew57/081c6c5113e7ff74463566f1f030cb6b

Expected Behavior

Changing one entry in the list of granted_roles should generate just one change in the terraform plan output.

Actual Behavior

Lots of changes are shown:

  # akamai_iam_role.this will be updated in-place
  ~ resource "akamai_iam_role" "this" {
      ~ granted_roles = [
          - 81601,
          - 83891,
          - 95380,
            109223,
          - 75563,
            88029,
          - 96541,
          - 86527,
          + 83891,
          + 95380,
          + 81601,
            1231,
          + 86527,
          + 75563,
          + 96535,
        ]
        id            = "135091"
        name          = "test-role"
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Changes to Outputs:
  ~ roles = [
        # (7 unchanged elements hidden)
        "FrontEndOptimization - View Only",
      - "IDM: API Clients - User Access",
      + "IDM: API Clients - Admin Access",
    ]

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. change the 'IDM: API Clients - User Access' to 'IDM: API Clients - Admin Access'
3. terraform plan

Important Factoids

N/A

References

• It seems like the granted_roles was changed from TypeSet to TypeList in cf6606c. The DiffSuppressFunc that was added is not behaving as I would expect in this case

[mstojanowski]

@landrew57

Thank you for raising this issue. We are investigating a potential solution.

Regards,
Marcin

[landrew57]

@mstojanowski do you know if there has been any progress made on the potential solution?