[Bug]: aws_kinesis_firehose_delivery_stream continually applies cloudwatch_logging_options

Terraform Core Version

1.5.0

AWS Provider Version

5.68.0

Affected Resource(s)

aws_kinesis_firehose_delivery_stream.log_streams.elasticsearch_configuration.s3_configuration.cloudwatch_logging_options continually reapplies log_stream_name and log_group_name when enabled is false.

Expected Behavior

Runs should ignore or otherwise track the settings without continually changing them.

Actual Behavior

Repeated applies of the same settings.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_kinesis_firehose_delivery_stream" "logs_stream" {
  name        = module.firehose_label.id
  tags        = module.firehose_label.tags
  destination = "elasticsearch"


  elasticsearch_configuration {
    domain_arn            = local.es_logs_cluster_domain_arn
    role_arn              = aws_iam_role.firehose_logging_role.arn
    buffering_interval    = var.logs_firehose_es_buffering_interval
    index_name            = "logs"
    s3_backup_mode        = "AllDocuments"
    index_rotation_period = var.logs_es_rotation_period

    s3_configuration {
      role_arn           = aws_iam_role.firehose_logging_role.arn
      bucket_arn         = module.log_storage.bucket_arn
      buffering_size     = 10
      buffering_interval = 900
      compression_format = "GZIP"

      cloudwatch_logging_options {
        enabled         = var.logs_firehose_debugging_s3_enabled
        log_group_name  = aws_cloudwatch_log_group.firehose_debugging.name  ### This reapplies
        log_stream_name = "S3Delivery"                                      ### This reapplies
      }
    }

    cloudwatch_logging_options {
      enabled         = var.logs_firehose_debugging_es_enabled
      log_group_name  = aws_cloudwatch_log_group.firehose_debugging.name
      log_stream_name = "ESDelivery"
    }

    vpc_config {
      security_group_ids = [data.aws_security_group.es_logs_sg.id]
      subnet_ids         = data.aws_subnets.public.ids
      role_arn           = aws_iam_role.firehose_logging_role.arn
    }
  }

  server_side_encryption {
    enabled = true
  }
}

resource "aws_cloudwatch_log_group" "firehose_debugging" {
  name              = module.firehose_label.id
  retention_in_days = var.logs_firehose_debugging_retention_in_days
  tags              = module.firehose_label.tags
}

resource "aws_cloudwatch_log_stream" "default" {
  for_each       = toset(["S3Delivery", "ESDelivery"])
  name           = each.key
  log_group_name = aws_cloudwatch_log_group.firehose_debugging.name
}

Steps to Reproduce

Apply the block with the S3 configuration cloudwatch logging options disabled.

Debug Output

No response

Panic Output

No response

Important Factoids

This code is duplicated across ~3 dozen accounts. It's only happening to a handful of new accounts now, but I can't figure out what is influencing it. Have tried to enable it and then disable it.

References

No response

Would you like to implement a fix?

None