aws_networkmanager_core_network: base_policy_document on existing/imported core networks results in error/change #45550
Description
Terraform and AWS Provider Version
tofu --version
OpenTofu v1.11.1
on darwin_arm64
+ provider registry.opentofu.org/hashicorp/aws v5.99.0
+ provider registry.opentofu.org/hashicorp/awscc v1.66.0
[...]Affected Resource(s) or Data Source(s)
aws_networkmanager_core_network
Expected Behavior
We added create_base_policy and base_policy_document to our existing aws_networkmanager_core_network (this change was made to the AWS-IA CloudWAN module: aws-ia/terraform-aws-cloudwan@7a7643c), and the change is visible in the plan output. We expect the apply to succeed (and not change anything on the core network, since it is already existing) or to see no change in the first place.
Actual Behavior
However, the way the apply and state handling work looks a bit strange to us. If we apply the change, it will fail with the following error:
Error: putting Network Manager Core Network (core-network-xxxxxxxxxxxxxxxxxx) policy: operation error NetworkManager'. PutCoreNetworkPolicy, https response error, StatusCode: 400, RequestID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, CoreNetworkPolicyException: Incorrect policy.
The next apply will succeed without any changes.
However, when we remove the aws_networkmanager_core_network from the state and re-import it, we will always see the change (and the error on applying again) on subsequent applies. Even if it was applied before. For some reason, this change seems to be handled differently in the state than all the other resources.
Relevant Error/Panic Output
Error: putting Network Manager Core Network (core-network-xxxxxxxxxxxxxxxxxx) policy: operation error NetworkManager'. PutCoreNetworkPolicy, https response error, StatusCode: 400, RequestID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, CoreNetworkPolicyException: Incorrect policy.
Sample Terraform Configuration
Click to expand configuration
resource "aws_networkmanager_core_network" "core_network" {
count = local.create_core_network ? 1 : 0
description = var.core_network.description
global_network_id = local.create_global_network ? aws_networkmanager_global_network.global_network[0].id : var.global_network_id
create_base_policy = true
base_policy_document = jsonencode({
for k, v in jsondecode(var.core_network.policy_document) : k => v
if k == "version" || k == "core-network-configuration" || k == "segments"
})
tags = merge(
module.tags.tags_aws,
module.core_network_tags.tags_aws
)
}```
(this is from https://github.com/aws-ia/terraform-aws-cloudwan/blob/main/main.tf)
</details>
### Steps to Reproduce
1. Create an `aws_networkmanager_core_network` and apply.
2. Add `create_base_policy` and `base_policy_document` to the `aws_networkmanager_core_network` and apply again (this will fail).
Alternatively:
1. Create an `aws_networkmanager_core_network` with `create_base_policy` and `base_policy_document` and apply.
2. Plan to ensure that no changes are applied.
3. Run `state rm` command and re-import the `aws_networkmanager_core_network`.
4. You will see the same changes and error as in the first version when you apply.
### Debug Logging
<details open>
<summary>Click to expand log output</summary>
```console
n/aGenAI / LLM Assisted Development
n/a
Important Facts and References
No response
Would you like to implement a fix?
No