minio_iam_policy order keeps shifting

[tv42]

I don't know if this problem originates from this code, or if minio itself keeps shuffling this (and the provider should just somehow cope with it), but I keep getting output like this from terraform plan:

  # module.a.minio_iam_policy.b has been changed
  ~ resource "minio_iam_policy" "b" {
        id     = "b"
        name   = "b"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                          - "arn:aws:s3:::x",
                            "arn:aws:s3:::y",
                            "arn:aws:s3:::z",
                          + "arn:aws:s3:::x",
                        ]
                        # (2 unchanged elements hidden)
                    },
                    {
                        Action   = [
                            "s3:GetObject",
                            "s3:PutObject",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:s3:::x/*",
                            "arn:aws:s3:::y/*",
                            "arn:aws:s3:::z/*",
                        ]
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
    }
[...]
No changes. Your infrastructure matches the configuration.

Updating the *.tf to match the order here doesn't really matter; in a couple of runs, it'll show a different order.

All the lists seem to be getting shuffled, observing Resource, Action.

And in the end, terraform thinks that there are no changes to apply, so something seems to be doing an order-independent comparison, but the diffs are distractingly long.

[tv42]

This is caused by these being stored as map[string]struct{}, and map iteration order is random.

terraform-provider-minio/minio/payload.go

Lines 97 to 101 in b2774a1

	Actions set.StringSet `json:"Action"`
	Conditions ConditionMap `json:"Condition,omitempty"`
	Effect string `json:",omitempty"`
	Principal string `json:"Principal,omitempty"`
	Resources set.StringSet `json:"Resource"`

https://pkg.go.dev/github.com/minio/minio-go/v7/pkg/set#StringSet

encoding/json would sort the keys of maps, but it's being overridden to get the list-like marshaling:

https://github.com/minio/minio-go/blob/0823af6c707c3af8ada4a4cd45cf1ff7378ebc2b/pkg/set/stringset.go#L147

https://github.com/minio/minio-go/blob/0823af6c707c3af8ada4a4cd45cf1ff7378ebc2b/pkg/set/stringset.go#L33

If terraform can't be taught a smarter comparison mechanism, then ToSlice should alphabetize the list, on both sides (data fetched from minio, data created from *.tf).

[pjsier]

It looks like the most straightforward place to address this might be the suppressEquivalentAwsPolicyDiffs function since it's already being used as the DiffSuppressFunc in multiple places.

terraform-provider-minio/minio/resource_minio_iam_policy.go

Lines 163 to 170 in b2d72d6

	func suppressEquivalentAwsPolicyDiffs(k, old, new string, d *schema.ResourceData) bool {
	equivalent, err := awspolicy.PoliciesAreEquivalent(old, new)
	if err != nil {
	return false
	}
	return equivalent
	}

It looks like this is a wrapper around jen20/awspolicyequivalence which seems to require the order to be the same. It looks like there's a hashicorp fork here hashicorp/awspolicyequivalence that fixes this issue. I'll put in a PR replacing this to see if it works