[Bug]: aws_cognito_resource_server requires two runs of apply to update scope_identifiers attribute after first deploy

[violet-hall]

Terraform Core Version

1.7.4

AWS Provider Version

5.39.1

Affected Resource(s)

aws_cognito_resource_server

Expected Behavior

When running terraform apply after adding new scopes the "scope_identifiers" attribute should be updated to reflect the new scopes

Actual Behavior

The "scope_identifiers" only updates on a second run of terraform apply

Relevant Error/Panic Output Snippet

Initial (Correct) run output on first create:
aws_cognito_user_pool.pool: Creating...
aws_cognito_user_pool.pool: Creation complete after 1s [id=eu-west-2_etlG8LKSY]
aws_cognito_resource_server.service_scopes: Creating...
aws_cognito_resource_server.service_scopes: Creation complete after 0s [id=eu-west-2_etlG8LKSY|test-cognito]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

scopes = tolist([
  "test-cognito/SAMPLE-SCOPE",
])




Apply with new scope added (incorrect):
aws_cognito_resource_server.service_scopes: Modifying... [id=eu-west-2_etlG8LKSY|test-cognito]
aws_cognito_resource_server.service_scopes: Modifications complete after 0s [id=eu-west-2_etlG8LKSY|test-cognito]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

scopes = tolist([
  "test-cognito/SAMPLE-SCOPE",
])



Apply again after not changing anything:
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

scopes = tolist([
  "test-cognito/MISSING-SCOPE",
  "test-cognito/SAMPLE-SCOPE",
])

Terraform Configuration Files

Sample repo: https://github.com/violet-hall/test-tf-cognito

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.39.1"
    }
  }
}

provider "aws" {
  region = "eu-west-2"
}

resource "aws_cognito_user_pool" "pool" {
  name = "test-pool"
}

resource "aws_cognito_resource_server" "service_scopes" {
  user_pool_id = aws_cognito_user_pool.pool.id
  identifier   = "test-cognito"
  name         = "test-cognito"

  scope {
    scope_name        = "SAMPLE-SCOPE"
    scope_description = "Scope 1"
  }
  #   scope {
  #     scope_name        = "MISSING-SCOPE"
  #     scope_description = "Scope 2"
  #   }
}

output "scopes" {
  value = aws_cognito_resource_server.service_scopes.scope_identifiers
}

Steps to Reproduce

1. Copy config or clone repo
2. terraform init
3. terraform apply
4. Check correct output
5. uncomment the second scope
6. terraform apply
7. see missing scope in output
8. terraform apply
9. see correct output

Debug Output

No response

Panic Output

No response

Important Factoids

Created the sample repo following the docs. Noting several previous issues about the correct way to add more than one scope

Noting I don't know go so will probably cause more problems than I solve if I attempt a fix

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.