Terraform-provider-aws: Error when updating aws_ssm_document resource name when name is being referenced in an aws_ssm_association resource.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11

• provider.aws v1.56.0

Affected Resource(s)

• aws_ssm_document
• aws_ssm_association

Terraform Configuration Files

Initial Configuration

provider "aws" {
  region = "us-east-2"
}

resource "aws_ssm_document" "my_test_ssm_doc" {
  name            = "My_Test_SSM_Doc_11111"
  document_type   = "Command"
  document_format = "JSON"
  content         = "${file("mydoc.json")}"
}

resource "aws_ssm_association" "my_test_ssm_assoc" {
  name                = "${aws_ssm_document.my_test_ssm_doc.name}"
  schedule_expression = "rate(1 day)"

  targets {
    key    = "InstanceIds"
    values = ["i-0f460c650dc13674d"]
  }

  depends_on = ["aws_ssm_document.my_test_ssm_doc"]
}

Updated Configuration

provider "aws" {
  region = "us-east-2"
}

resource "aws_ssm_document" "my_test_ssm_doc" {
  name            = "My_Test_SSM_Doc_22222"
  document_type   = "Command"
  document_format = "JSON"
  content         = "${file("mydoc.json")}"
}

resource "aws_ssm_association" "my_test_ssm_assoc" {
  name                = "${aws_ssm_document.my_test_ssm_doc.name}"
  schedule_expression = "rate(1 day)"

  targets {
    key    = "InstanceIds"
    values = ["i-0f460c650dc13674d"]
  }

  depends_on = ["aws_ssm_document.my_test_ssm_doc"]
}

Expected Behavior

Changing the name used for the aws_ssm_document resource should result into a resource replacement (destroy, add) as opposed to an update.

Actual Behavior

Plan

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ aws_ssm_association.my_test_ssm_assoc (new resource required)
      id:                  "6e3bb30f-3b69-4164-8545-02de400d1385" => <computed> (forces new resource)
      association_id:      "6e3bb30f-3b69-4164-8545-02de400d1385" => <computed>
      document_version:    "$DEFAULT" => <computed>
      name:                "My_Test_SSM_Doc_111111" => "My_Test_SSM_Doc_222222" (forces new resource)
      parameters.%:        "0" => <computed>
      schedule_expression: "rate(1 day)" => "rate(1 day)"
      targets.#:           "1" => "1"
      targets.0.key:       "InstanceIds" => "InstanceIds"
      targets.0.values.#:  "1" => "1"
      targets.0.values.0:  "i-0f460c650dc13674d" => "i-0f460c650dc13674d"

  ~ aws_ssm_document.my_test_ssm_doc
      name:                "My_Test_SSM_Doc_111111" => "My_Test_SSM_Doc_222222"


Plan: 1 to add, 1 to change, 1 to destroy.

Error on Apply

Error: Error applying plan:

1 error(s) occurred:

* aws_ssm_association.my_test_ssm_assoc: 1 error(s) occurred:

* aws_ssm_association.my_test_ssm_assoc: Error creating SSM association: InvalidDocument: Document with name My_Test_SSM_Doc_222222 does not exist.
    status code: 400, request id: b7828b79-711d-40bb-8b23-8bebf84e00c2

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

1. Execute terraform init, terraform plan, terraform apply on the configuration "Initial Configuration" above.
2. After a successful apply, update name for aws_ssm_document resource to a SSM document name that has not been previously used in the AWS account before (e.g. "Updated Configuration" above)
3. Execute terraform plan and apply. An error should result as described above. This only seems to occur when the aws_ssm_document name is updated to a name which has not been used before.
4. If another plan and apply is issued, without any changes, the update seems to succeed.
5. The error does not seem to occur if the name is updated to one which has been previously used.