### Terraform Version ```shell Terraform v1.14.3 on linux_amd64 + provider registry.terraform.io/hashicorp/aws v6.28.0 ``` ### Terraform Configuration Files ```terraform provider "aws" { region = "us-west-2" } resource "aws_security_group" "rabbitmq" { name = "test-aws-security-group-rabbitmq" } # Note: The following assumes a Default VPC exists. resource "aws_mq_broker" "rabbitmq" { # for_each = {} for_each = { 0 = 0 } broker_name = "test-aws-mq-broker-rabbitmq" engine_type = "RabbitMQ" engine_version = "3.13" host_instance_type = "mq.m7g.medium" auto_minor_version_upgrade = true user { username = "rabbitmq-user" password = "helloworld123" } security_groups = [aws_security_group.rabbitmq.id] } ``` ### Debug Output See "Steps to Reproduce" below. ### Expected Behavior There should be some indication that the resource's block will be changed (even if it contains sensitive values). ### Actual Behavior The plan's diff does not indicate any sort of change to the resource's blocks (in this case the `aws_mq_broker` resource's `user` block). Instead it incorrectly displays: `# (4 unchanged blocks hidden)`, when there is in fact a changed block. ### Steps to Reproduce ```bash ### 1. Run first apply. # AWS_PROFILE=my-profile terraform apply # Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: # + create # # Terraform will perform the following actions: # # # aws_mq_broker.rabbitmq["0"] will be created # + resource "aws_mq_broker" "rabbitmq" { # + apply_immediately = false # + arn = (known after apply) # + authentication_strategy = (known after apply) # + auto_minor_version_upgrade = true # + broker_name = "test-aws-mq-broker-rabbitmq" # + data_replication_mode = (known after apply) # + deployment_mode = "SINGLE_INSTANCE" # + engine_type = "RabbitMQ" # + engine_version = "3.13" # + host_instance_type = "mq.m7g.medium" # + id = (known after apply) # + instances = (known after apply) # + pending_data_replication_mode = (known after apply) # + publicly_accessible = false # + region = "us-west-2" # + security_groups = (known after apply) # + storage_type = (known after apply) # + subnet_ids = (known after apply) # + tags_all = (known after apply) # # + configuration (known after apply) # # + maintenance_window_start_time (known after apply) # # + user { # # At least one attribute in this block is (or was) sensitive, # # so its contents will not be displayed. # } # } # # # aws_security_group.rabbitmq will be created # + resource "aws_security_group" "rabbitmq" { # + arn = (known after apply) # + description = "Managed by Terraform" # + egress = (known after apply) # + id = (known after apply) # + ingress = (known after apply) # + name = "test-aws-security-group-rabbitmq" # + name_prefix = (known after apply) # + owner_id = (known after apply) # + region = "us-west-2" # + revoke_rules_on_delete = false # + tags_all = (known after apply) # + vpc_id = (known after apply) # } # # Plan: 2 to add, 0 to change, 0 to destroy. # # Do you want to perform these actions? # Terraform will perform the actions described above. # Only 'yes' will be accepted to approve. # # Enter a value: yes # # aws_security_group.rabbitmq: Creating... # aws_security_group.rabbitmq: Creation complete after 3s [id=sg-009b3864fafe31b10] # aws_mq_broker.rabbitmq["0"]: Creating... # aws_mq_broker.rabbitmq["0"]: Still creating... [00m10s elapsed] # ...Wait 10 minutes for the MQ to deploy... # aws_mq_broker.rabbitmq["0"]: Still creating... [09m10s elapsed] # aws_mq_broker.rabbitmq["0"]: Creation complete after 9m13s [id=b-9670ac1c-e8e7-4c74-8a1b-4d5c4cf37212] # # Apply complete! Resources: 2 added, 0 changed, 0 destroyed. ### 2. Run plan after initial apply. # AWS_PROFILE=my-profile terraform plan # aws_security_group.rabbitmq: Refreshing state... [id=sg-009b3864fafe31b10] # aws_mq_broker.rabbitmq["0"]: Refreshing state... [id=b-9670ac1c-e8e7-4c74-8a1b-4d5c4cf37212] # # Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: # ~ update in-place # # Terraform will perform the following actions: # # # aws_mq_broker.rabbitmq["0"] will be updated in-place # ~ resource "aws_mq_broker" "rabbitmq" { ############################# DOES NOT SHOW WHAT CHANGED ########################### # id = "b-9670ac1c-e8e7-4c74-8a1b-4d5c4cf37212" # tags = {} # # (18 unchanged attributes hidden) # # # (4 unchanged blocks hidden) ############################# `user` block has changed, follow steps below to see diff ########################### # } # # Plan: 0 to add, 1 to change, 0 to destroy. ### 3. Generate plan tfplan.json # AWS_PROFILE=my-profile terraform plan -out tfplan AWS_PROFILE=my-profile terraform show -json tfplan | jq -r >tfplan.json # Verify number of changed resources (there should be only the aws_mq_broker). cat tfplan.json | jq -r '[.resource_changes | .[] | select(.change.actions[] | contains("update"))] | length' # Capture the planned changes in it's own file. cat tfplan.json | jq -r '.resource_changes | .[] | select(.change.actions[] | contains("update"))' >tfplan-mq-updated.json ### 4. View the hidden block's changes: # # Diff the non-sensitive changes (should be no changes here). diff -u <(cat tfplan-mq-updated.json | jq -r '.change.before') <(cat tfplan-mq-updated.json | jq -r '.change.after') # Diff the sensitive changes (user block has changed). diff -u <(cat tfplan-mq-updated.json | jq -r '.change.before_sensitive') <(cat tfplan-mq-updated.json | jq -r '.change.after_sensitive') # # --- /dev/fd/63 2026-01-20 13:42:25.334274392 -0600 # +++ /dev/fd/62 2026-01-20 13:42:25.334274392 -0600 # @@ -27,5 +27,5 @@ # ], # "tags": {}, # "tags_all": {}, # - "user": true # + "user": [] # } ``` ### Additional Context _No response_ ### References Semi related bug report to the AWS Provider: https://github.com/hashicorp/terraform-provider-aws/issues/46061 ### Generative AI / LLM assisted development? No.