minio_canned_policy order of array shifts on second (further) plan/apply

[rbojan]

The resource minio_canned_policy order of Action array shifts on second and further terraform plan forcing replacement of the resource.

Steps to reproduce:

1. Create main.tf

resource "minio_canned_policy" "backups" {
  name = "backups"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::backups"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::backups/*"
            ]
        }
    ]
}
EOT
}

2. Run terraform plan

  # minio_canned_policy.backups will be created
  + resource "minio_canned_policy" "backups" {
      + id     = (known after apply)
      + name   = "backups"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::backups",
                        ]
                    },
                  + {
                      + Action   = [
                          + "s3:GetObject",
                          + "s3:PutObject",
                          + "s3:DeleteObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::backups/*",
                        ]
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }

3. Run terraform apply

minio_canned_policy.backups: Creation complete after 1s [id=backups]

4. Run terraform plan again (without changing the resource)

  # minio_canned_policy.backups must be replaced
-/+ resource "minio_canned_policy" "backups" {
      ~ id     = "backups" -> (known after apply)
        name   = "backups"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action   = [
                            "s3:ListBucket",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:s3:::backups",
                        ]
                    },
                  ~ {
                      ~ Action   = [
                          - "s3:DeleteObject",
                            "s3:GetObject",
                            "s3:PutObject",
                          + "s3:DeleteObject",
                        ]
                        # (2 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            } # forces replacement
        )
    }

I suppose that this also applies to the Resource array but is not applicable here because it has only one element.

[jostmart]

Stumbled upon this today. No fix?

[rbojan]

@jostmart We ended up using another Terraform Provider for MinIO: https://github.com/aminueza/terraform-provider-minio which works like a charm.