[Bug]: sagemaker domain_settings security_groups force new

[timschill]

Terraform Core Version

1.3.6

AWS Provider Version

5.81.0

Affected Resource(s)

aws_sagemaker_domain

Expected Behavior

Updating the domain security group should not create a new resource. It can be updated both from the AWS Console, the AWS CLI and CloudFormation without replacing the existing domain.

Actual Behavior

A change to the domains_settings security_groups_ids forces a replacement of the domain.

Relevant Error/Panic Output Snippet

domain_settings {
    security_group_ids : [Forces replacement
        "sg-xxxxxxxxxxxx" -> Known after apply
    ] -> Known after apply

Terraform Configuration Files

resource "aws_security_group" "allow_tls" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic and all outbound traffic"
  vpc_id      = aws_vpc.main.id

  tags = {
    Name = "allow_tls"
  }
}

resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
  security_group_id = aws_security_group.allow_tls.id
  cidr_ipv4         = aws_vpc.main.cidr_block
  from_port         = 443
  ip_protocol       = "tcp"
  to_port           = 443
}

resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
  security_group_id = aws_security_group.allow_tls.id
  cidr_ipv4         = "0.0.0.0/0"
  ip_protocol       = "-1"
}

resource "aws_sagemaker_domain" "example" {
  domain_name = "example"
  auth_mode   = "IAM"
  vpc_id      = aws_vpc.example.id
  subnet_ids  = [aws_subnet.example.id]

  default_user_settings {
    execution_role = aws_iam_role.example.arn
  }

  domain_settings {
    security_groups_ids = [ aws_security_group.allow_tls]
  }
}

resource "aws_iam_role" "example" {
  name               = "example"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "example" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}

Steps to Reproduce

After creating the domain, try and change the domain_settings security group to a new value and update.
It will tell you the domain will have to be recreated because of the change of security group.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_domain

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[deepakbshetty]

Should be an easy fix to remove below line, if any one is interested to pick up and raise PR

terraform-provider-aws/internal/service/sagemaker/domain.go

Line 1389 in 9524f4f

ForceNew: true,