Problem
The terraform plan command generates an execution plan that shows unexpected changes to resources, even when you have not modified your Terraform configuration or the underlying infrastructure.
Cause
This issue can occur when your Terraform configuration does not pin provider versions. During each terraform init, Terraform downloads the latest provider version that matches the configuration's constraints. If no version is specified, Terraform downloads the newest available provider.
A major provider update (e.g., from version 3.x to 4.x) can introduce breaking changes, new features, or bug fixes that alter how resources are managed. When terraform plan runs with the new provider, it compares your configuration against the state file and proposes changes to align your infrastructure with the new provider's logic.
For example, a configuration without a version constraint may cause this issue.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
## No version constraint is set
}
}
}
provider "aws" {}Solution
To prevent unexpected changes from provider updates, you must define explicit version constraints for all providers in your configuration. Pinning the provider version ensures that terraform init always downloads the same version, leading to consistent and predictable plans.
Update your configuration to include a version argument in the required_providers block.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.28.0"
}
}
}
provider "aws" {}This practice allows you to test provider upgrades in a controlled development environment before applying them to production workloads.
Additional Information
- For more details on provider versioning, refer to the official documentation on provider version constraints.
- To learn more about the initialization process, see the
terraform initcommand documentation. - For other potential causes of unexpected plan changes, review the Terraform plan shows unexpected changes (infrastructure cause) article.