[Bug]: Since provider v5.73 aws_sagemaker_domain inVpcOnly mode throws ValidationException: AppSecurityGroupManagement ... on Update

[philipgebus]

Terraform Core Version

1.9.0

AWS Provider Version

5.73.0

Affected Resource(s)

aws_sagemaker_domain

Expected Behavior

• Creation of aws_sagemaker_domain executes successfully
• Update of aws_sagemaker_domain executes successfully

Actual Behavior

• Creation of aws_sagemaker_domain executes successfully
• Update of aws_sagemaker_domain throws exception

Details:
After updating a domain with app_network_access_type = "VpcOnly" and RStudio disabled (see exemplary config below), the domain update throws the following exception:

 Error: updating SageMaker Domain: operation error SageMaker: UpdateDomain, https response error StatusCode: 400, RequestID: ***, api error ValidationException: AppSecurityGroupManagement can only be set for Rstudio enabled domains.

Relevant Error/Panic Output Snippet

│ Error: updating SageMaker Domain: operation error SageMaker: UpdateDomain, https response error StatusCode: 400, RequestID: bc7e8308-30f3-4624-800b-60385a56bddf, api error ValidationException: AppSecurityGroupManagement can only be set for Rstudio enabled domains.
│ 
│   with module.sagemaker_domain.aws_sagemaker_domain.this,
│   on .terraform/modules/sagemaker_domain/sagemaker_domain.tf line 2, in resource "aws_sagemaker_domain" "this":
│    2: resource "aws_sagemaker_domain" "this" {

Terraform Configuration Files

Exemplary config:
var.r_studio_enabled = false

resource "aws_sagemaker_domain" "this" {
  domain_name = "my_test_domain"

  # Set the authentication mode
  auth_mode = "IAM"

  # Set the VPC ID and subnet IDs for the domain
  vpc_id     = var.vpc_id
  subnet_ids = var.subnet_ids_private

  # Set the network access type for the app
  app_network_access_type = "VpcOnly"
  
  app_security_group_management = (var.app_network_access_type == "VpcOnly") ? (var.r_studio_enabled ? "Service" : "Customer") : null

  default_user_settings = {
    execution_role         = aws_iam_role.domain_execution.arn
    studio_web_portal   = "ENABLED"
    default_landing_uri = "studio::"
  }
}

Steps to Reproduce

1. Create domain with above config and v5.73.0 of the AWS provider (successful)
2. Update domain (fails)

Debug Output

No response

Panic Output

No response

Important Factoids

Updates with the same config work for <v5.73.0 of the AWS Terraform provider

References

https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[philipgebus]

FYI @DrFaust92 (as you were so kind to implement many new arguments for aws_sagemaker_domain in v5.73)

[ewbankkit]

Relates #39774.

[DrFaust92]

Mmm.. Options are either rollback the update ability or set some if with recreate true only on relevant case. LMK what you think makes sense here and ill try to implement it.

[ewbankkit]

I think a d.HasChange check before if v, ok := d.GetOk("app_security_group_management"); ok { could do it.