terraform plan wants to modify api_gateway resource policy unnecessarily

[ypz]

I created an apigateway with a resource policy using following code. Once created, subsequent 'terraform plan' still wants to modify the apigateway due to some policy changes:

data "aws_iam_policy_document" "resource_policy_doc" {
  statement {
    actions = [ "execute-api:Invoke" ]
    principals {
      identifiers = [ "*" ]
      type = "AWS"
    }
    resources = [ "execute-api:/*" ]
  }
}

resource "aws_api_gateway_rest_api" "apigateway" {
  name        = "my_api_gateway"

  policy  = data.aws_iam_policy_document.resource_policy_doc.json
}

Here is the output from "terraform plan" command:

  # aws_api_gateway_rest_api.apigateway will be updated in-place
  ~ resource "aws_api_gateway_rest_api" "apigateway" {
        api_key_source           = "HEADER"
        arn                      = "arn:aws:apigateway:us-west-2::/restapis/96seugwcwj"
        binary_media_types       = []
        created_date             = "2020-10-09T01:55:29Z"
        execution_arn            = "arn:aws:execute-api:us-west-2:SOME_ACCT_ID:96seugwcwj"
        id                       = "96seugwcwj"
        minimum_compression_size = -1
        name                     = "my_api_gateway"
      ~ policy                   = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = "execute-api:Invoke"
                        Effect    = "Allow"
                        Principal = {
                            AWS = "*"
                        }
                      ~ Resource  = "arn:aws:execute-api:us-west-2:SOME_ACCT_ID:96seugwcwj/*" -> "execute-api:/*"
                        Sid       = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        root_resource_id         = "7802l0rm35"
        tags                     = {}

        endpoint_configuration {
            types            = [
                "EDGE",
            ]
            vpc_endpoint_ids = []
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The root cause seems to be that the resource string "execute-api:/*" given in the configure file has been replaced with the actual apigateway's execute_arn in the applied policy to the apigateway in the states file. This replacement is seen as a configure change by "terraform plan" and therefore it wants to modify the apigatway unnecessarily.

Expected behavior: terraform plan should not suggest such unnecessary modification to apigateway

[ghost]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#15602 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#15602.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.