changed aws_guardduty_feature additional_configuration from list to set

[icco]

Rollback Plan

Not needed.

Changes to Security Controls

No

Description

This is a rebase of #36985.

Description
This changes the aws_guardduty_detector_feature additional_configuration type from a list to a set. This is so that the order of the additional configurations does not matter. Before pushing this fix, if you didn't provide the additional_configurations in the order the AWS API returns them, there would be a force replace on every terraform apply.

I added an additional acceptance test to confirm that the ordering of the additional_configurations doesn't matter and that an empty plan is returned no matter the order.

Relations

Closes #36400
Closes #36695
Closes #36985

References

Output from Acceptance Testing

% make testacc TESTS=TestAccXXX PKG=ec2

...

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[YakDriver]

LGTM 🎉

--- PASS: TestAccGuardDuty_serial (102.90s)
    --- PASS: TestAccGuardDuty_serial/DetectorFeature (102.90s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/basic (14.67s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/additional_configuration (32.79s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/additional_configuration_order (19.76s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/multiple (35.67s)

[YakDriver]

@icco Thanks for the rebase!

@joelmccoy Thanks for your contribution!

[YakDriver]

It may show in the plan, but ForceNew has no effect since Delete is NoOp.

[YakDriver]

It's an interesting resource. ForceNew makes little difference (Delete is no-op). Ignoring the order is the key.

--- PASS: TestAccGuardDuty_serial (136.40s)
    --- PASS: TestAccGuardDuty_serial/DetectorFeature (136.40s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/additional_configuration (34.22s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/additional_configuration_new_order (19.74s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/additional_configuration_migrate_list_to_set (35.77s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/basic (11.72s)
        --- PASS: TestAccGuardDuty_serial/DetectorFeature/multiple (34.95s)

[YakDriver]

Findings for future travelers:

1. ForceNew is irrelevant except it shows in plan. For aws_guardduty_feature, it does nothing since Delete is a no-op.
2. Updates to additional_configuration are not possible with or without ForceNew (since Delete's a no-op). Based on my testing, for example, if you start with additional_configuration of EC2_AGENT_MANAGEMENT, you can’t remove it and you can’t add ECS_FARGATE_AGENT_MANAGEMENT or EKS_ADDON_MANAGEMENT . All you can do is change the status to ENABLED or DISABLED of those additional_configurations you added initially. You don't get update errors but they don't take effect and cause perpetual diffs.
3. Best practice would be to add all the additional_configuration blocks, setting those you don't need to DISABLED. Then they can be updated.
4. Recreating the detector seems to be the only way to reset so that updates to additional_configuration take effect.

[johnsonaj]

LGTM 🚀

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.18.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!