Skip to content

SDKv2 allows resource identities to be set to null, eventually triggering mutable identity error #1502

New issue
New issue
Open
Open
SDKv2 allows resource identities to be set to null, eventually triggering mutable identity error#1502
Labels
bugSomething isn't working
@austinvalle

Description

@austinvalle
austinvalle
opened on Jul 11, 2025

Module version

v2.37.0

Context

The AWS provider recently found a bug in v6.0.0 with a resource identity implementation where the identity was not being set, which resulted in the identity object being stored in Terraform state as all null attributes:

{
    "module": "module.simple-s3-cdn",
      "mode": "managed",
      "type": "aws_s3_bucket",
      "name": "origin",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            // ...
          },
          "sensitive_attributes": [],
          "identity_schema_version": 0,
          "identity": { // <---------------- all identity attributes are null
            "account_id": null,
            "bucket": null,
            "region": null
          }
        }
      ]
    }

As a result of this bug, the AWS provider attempted to fix the identities in v6.1.0, however because the identity had already been stored (as an invalid null object), they received the mutable identity error message: hashicorp/terraform-provider-aws#43199

Error: Unexpected Identity Change: During the read operation,
  the Terraform Provider unexpectedly returned a different identity
  then the previously stored one.

Expected Behavior

An identity that is null or has all null attributes is invalid, so the SDK should have returned an error to the provider indicating that identity was supported, however the provider did not return an identity. This would have helped the provider developers catch this bug earlier, before identity was stored in any state files.

The only time an identity is valid to be null is in a read operation immediately following import, where the identity might be null because the practitioner is importing via the ID string.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions