[Bug]: aws_cloudtrail sns_topic_name always shows changes

[a-jackson]

Terraform Core Version

1.10.5

AWS Provider Version

5.85.0

Affected Resource(s)

• aws_cloudtrail

Expected Behavior

Should not have any changes

Actual Behavior

Plan now showing changes required every single time on sns_topic_name. We are setting it to an ARN and the state is now saving it as the name only. We must use the ARN as it is in a different region so just name would not work. The plan shows a change from name -> arn every single time.
I think this relates to #41168

 # aws_cloudtrail.this will be updated in-place
  ~ resource "aws_cloudtrail" "this" {
        id                            = "arn:aws:cloudtrail:eu-west-2:redacted:trail/trail"
        name                          = "trail"
      ~ s3_bucket_name                = "relaxing-escargot" -> (known after apply)
      ~ sns_topic_name                = "cloudtrail" -> "arn:aws:sns:eu-west-3:redacted:cloudtrail"
        tags                          = {}
        # (13 unchanged attributes hidden)
    }

Relevant Error/Panic Output Snippet

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.85"
    }
  }
}

provider "aws" {
  region = "eu-west-3"
  alias  = "paris"
}

provider "aws" {
  region = "eu-west-2"
  alias  = "london"
}

resource "random_pet" "bucket" {
}

resource "aws_sns_topic" "this" {
  provider = aws.paris

  name = "cloudtrail"
}

resource "aws_sns_topic_policy" "this" {
  provider = aws.paris

  arn    = aws_sns_topic.this.arn
  policy = data.aws_iam_policy_document.topic_policy.json
}

data "aws_iam_policy_document" "topic_policy" {
  statement {
    effect = "Allow"
    principals {
      identifiers = ["cloudtrail.amazonaws.com"]
      type        = "Service"
    }
    actions   = ["SNS:Publish"]
    resources = [aws_sns_topic.this.arn]
  }
}

resource "aws_s3_bucket" "this" {
  provider = aws.london

  bucket = random_pet.bucket.id
}

resource "aws_s3_bucket_policy" "this" {
  provider = aws.london

  bucket = aws_s3_bucket.this.bucket
  policy = data.aws_iam_policy_document.bucket_policy.json
}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }
    actions   = ["s3:GetBucketAcl", "s3:PutObject"]
    resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
  }
}

resource "aws_cloudtrail" "this" {
  provider = aws.london

  name           = "trail"
  s3_bucket_name = aws_s3_bucket.this.bucket
  sns_topic_name = aws_sns_topic.this.arn

  depends_on = [aws_sns_topic_policy.this, aws_s3_bucket_policy.this]
}

Steps to Reproduce

1. Apply the above configuration.
2. Run a plan and it will show sns_topic_name changing

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Confirmed this doesn't occur in 5.84.0

[acwwat]

Confirmed that it's caused by my recent change with #41168.

The problem is that both the user guide and API documentation suggest that SNS topic name is just the name. There's no mention about an SNS topic from a different region or account.

Rather than rolling back the change completely, let me see if it makes sense to compare SnsTopicArn from reading the resource to see if region and account ID are the same. If so, set SnsTopicName to just the name, otherwise set it to the ARN.

[acwwat]

AWS support case opened to seek clarification of the behavior for SnsTopicName and request to have documentation updated to reflect the behavior.

[a-jackson]

I tested just using the name but AWS throws an error because it cannot find the topic as it is in a different region so we need to pass an ARN.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.