### Terraform Version ```shell Terraform v1.8.1 on darwin_arm64 + provider registry.terraform.io/hashicorp/aws v5.72.1 ``` ### Terraform Configuration Files ```terraform data "aws_iam_policy_document" "authenticated" { statement { effect = "Allow" principals { type = "Federated" identifiers = ["cognito-identity.amazonaws.com"] } actions = ["sts:AssumeRoleWithWebIdentity"] condition { test = "StringEquals" variable = "cognito-identity.amazonaws.com:aud" values = [aws_cognito_identity_pool.this.id] } condition { test = "ForAnyValue:StringLike" variable = "cognito-identity.amazonaws.com:amr" values = ["authenticated"] } } } resource "aws_iam_role" "authenticated" { name = "${var.identity_pool_name}-iam-role" assume_role_policy = data.aws_iam_policy_document.authenticated.json tags = var.tags } ``` ``` ### Debug Output # aws_iam_role.authenticated will be updated in-place ~ resource "aws_iam_role" "authenticated" { ~ assume_role_policy = jsonencode( { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - "ForAnyValue:StringLike" = { - "cognito-identity.amazonaws.com:amr" = "authenticated" } - StringEquals = { - "cognito-identity.amazonaws.com:aud" = "REDACTED-POOLID" } } - Effect = "Allow" - Principal = { - Federated = "cognito-identity.amazonaws.com" } }, ] - Version = "2012-10-17" } ) -> (known after apply) ``` ### Expected Behavior The IAM Assume Role policy should not be updating after a successfully apply/creation ### Actual Behavior the assume_role_policy is getting flip back and forth, from apply and removal on each successfully run. ### Steps to Reproduce Unable to supply due to sensitive ids. ### Additional Context Can confirm that removing the data block and supplying a "static" policy block/eof for the assume_role_policy is allowing the resource to not be recreated/destroyed on each terraform run. Additionally the same output of the terraform plan/apply was occurring on our gitlab pipelines.  ### References #29716, appears to be similar behavior.