aws.redshift.ResourcePolicy triggering update if "Resource" is not set in the policy

[Ownmarc]

Describe what happened

When creating an aws.redshift.ResourcePolicy, AWS will accept a policy that doesn't include "Resource" and will set it for us but if it is not in our code, it will trigger an update every deploy.

I got arround it by setting it explicitly in my policy definition.

Sample program

This will trigger an update on every deploy, but is setting everything as expected :

redshiftserverless_resource_policy = aws.redshift.ResourcePolicy(
    "redshiftserverless-resource-policy",
    resource_arn=redshiftserverless_namespace.arn,
    policy=pulumi.Output.json_dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {"Service": "redshift.amazonaws.com"},
                "Action": "redshift:AuthorizeInboundIntegration",
                "Condition": {"StringEquals": {"aws:SourceArn": east_cluster.arn}},
            },
            {
                "Effect": "Allow",
                "Principal": {"AWS": account_id},
                "Action": "redshift:CreateInboundIntegration",
            },
        ],
    }),
)

This is what is needed (adding "Resource" explicitly in the policy) to not trigger an update on every deploy :

redshiftserverless_resource_policy = aws.redshift.ResourcePolicy(
    "redshiftserverless-resource-policy",
    resource_arn=redshiftserverless_namespace.arn,
    policy=pulumi.Output.json_dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {"Service": "redshift.amazonaws.com"},
                "Action": "redshift:AuthorizeInboundIntegration",
                "Resource": redshiftserverless_namespace.arn,
                "Condition": {"StringEquals": {"aws:SourceArn": east_cluster.arn}},
            },
            {
                "Effect": "Allow",
                "Principal": {"AWS": account_id},
                "Action": "redshift:CreateInboundIntegration",
                "Resource": redshiftserverless_namespace.arn,
            },
        ],
    }),
)

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI
Version 3.129.0
Go Version go1.22.6
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.49.1
resource awsx 2.14.0
resource docker 4.5.5
language python unknown

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

@Ownmarc this behavior is expected, but should probably be documented better. I'll leave this issue open to track the documentation issue.

[Ownmarc]

Thanks, yea, reason I was able to figure it out was that I went into my cloudtrail logs and looked at what the API was sending back as a response. There was probably an other way to find out, but I don't know it.