[Bug]: aws_backup_selection with two condition blocks override each other

[GusAntoniassi]

Terraform Core Version

1.3.7, 1.8.5

AWS Provider Version

5.55.0

Affected Resource(s)

• aws_backup_selection

Expected Behavior

The configuration inside multiple condition blocks should be merged and applied to the resource.

If that is not possible, configuring multiple condition blocks should raise a Too many condition blocks error.

Actual Behavior

The resource is created only with the first condition block and becomes non-idempotent, since next applies will try to create the second condition block.

Terraform will perform the following actions:

  # aws_backup_selection.example must be replaced
-/+ resource "aws_backup_selection" "example" {
      ~ id            = "0cab121b-d568-4962-8549-1ea3717278d6" -> (known after apply)
        name          = "test-selection-reproduction"
      ~ not_resources = [] -> (known after apply)
        # (3 unchanged attributes hidden)

      + condition { # forces replacement
          + string_equals {
              + key   = "aws:ResourceTag/Service"
              + value = "foobar"
            }
        }

        # (1 unchanged block hidden)
    }

Verifying the resource with the AWS CLI shows that only the first condition block was applied:

{
    "BackupSelection": {
        "SelectionName": "test-selection-reproduction",
        "IamRoleArn": "arn:aws:iam::XXXXXXXXXXXX:role/tf_example_backup_role",
        "Resources": [
            "*"
        ],
        "ListOfTags": [],
        "NotResources": [],
        "Conditions": {
            "StringEquals": [
                {
                    "ConditionKey": "aws:ResourceTag/Environment",
                    "ConditionValue": "sandbox"
                }
            ],
            "StringNotEquals": [],
            "StringLike": [],
            "StringNotLike": []
        }
    },
    "SelectionId": "0cab121b-d568-4962-8549-1ea3717278d6",
    "BackupPlanId": "b8d18d58-1e7b-4043-8be8-060aa5b53560",
    "CreationDate": "2024-06-25T11:38:38.620000-03:00"
}

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

The main relevant configuration is this:

resource "aws_backup_selection" "example" {
  name         = "test-selection-reproduction"
  plan_id      = aws_backup_plan.example.id
  iam_role_arn = aws_iam_role.example.arn

  resources = ["*"]

  condition {
    string_equals {
      key   = "aws:ResourceTag/Environment"
      value = "sandbox"
    }
  }

  condition {
    string_equals {
      key   = "aws:ResourceTag/Service"
      value = "foobar"
    }
  }
}

The full Terraform configuration to reproduce the issue (includes dependencies) is as follows:

main.tf

# ------------------------------------------------------------------------------
# Backup Vault
# ------------------------------------------------------------------------------
resource "aws_backup_vault" "example" {
  name = "tf_example_backup_vault"
}

# ------------------------------------------------------------------------------
# Backup plan
# ------------------------------------------------------------------------------
resource "aws_backup_plan" "example" {
  name = "tf_example_backup_plan"

  rule {
    rule_name         = "tf_example_backup_rule"
    target_vault_name = aws_backup_vault.example.name
    schedule          = "cron(0 12 * * ? *)"

    lifecycle {
      delete_after = 14
    }
  }
}

# ------------------------------------------------------------------------------
# Backup IAM role
# ------------------------------------------------------------------------------
data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["backup.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}
resource "aws_iam_role" "example" {
  name               = "tf_example_backup_role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_role_policy_attachment" "example" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  role       = aws_iam_role.example.name
}

# ------------------------------------------------------------------------------
# Backup selection
# ------------------------------------------------------------------------------
resource "aws_backup_selection" "example" {
  name         = "test-selection-reproduction"
  plan_id      = aws_backup_plan.example.id
  iam_role_arn = aws_iam_role.example.arn

  resources = ["*"]

  condition {
    string_equals {
      key   = "aws:ResourceTag/Environment"
      value = "sandbox"
    }
  }

  condition {
    string_equals {
      key   = "aws:ResourceTag/Service"
      value = "foobar"
    }
  }
}

output "plan_id" {
  value = aws_backup_plan.example.id
}

output "selection_id" {
  value = aws_backup_selection.example.id
}

Steps to Reproduce

• Apply the configuration with terraform apply
• Attempt to apply again and receive recreation notice

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.