Can't update aws_controltower_baseline resource version

Terraform and AWS Provider Version

Terraform v1.14.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.22.1

Affected Resource(s) or Data Source(s)

aws_controltower_baseline resource

Expected Behavior

baseline_version property can be upgraded from "4.0" to "5.0" following a landing zone upgrade.

Actual Behavior

Rather than call UpdateEnabledBaseline, the provider attempts to replace the resource, invoking DisableBaseline which errors out expectedly.

Relevant Error/Panic Output

Plan:

  # aws_controltower_baseline.ou_baselines["Unused"] must be replaced
-/+ resource "aws_controltower_baseline" "ou_baselines" {
      ~ arn                  = "<enabledBaselineArn>" -> (known after apply)
      ~ baseline_version     = "4.0" -> "5.0" # forces replacement
      + operation_identifier = (known after apply)
        tags                 = {
            <misc tags>
        }
        # (4 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Result:

╷
│ Error: deleting AWS Control Tower Baseline ("<enabledBaselineArn"): operation error ControlTower: DisableBaseline, https response error StatusCode: 409, RequestID: 434e0535-27da-4f49-8c5a-fd961c6abba7, ConflictException: AWS Control Tower cannot perform a DisableBaseline operation on a target OU or account with optional controls enabled.
│ 
│ operation error ControlTower: DisableBaseline, https response error StatusCode: 409, RequestID:
│ 434e0535-27da-4f49-8c5a-fd961c6abba7, ConflictException: AWS Control Tower cannot perform a
│ DisableBaseline operation on a target OU or account with optional controls enabled.
╵

Sample Terraform Configuration

<details open> <summary>Click to expand configuration</summary>

resource "aws_controltower_baseline" "ou_baseline" {
  baseline_identifier = "arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2"
  baseline_version    = "4.0" # Create with 4.0 first, then try upgrading to "5.0"

  target_identifier = "" #ARN of OU to be baselined

  tags = {"key" = "value" }
}

</details>

Steps to Reproduce

1. Create a CT Landing Zone on version 3.3
2. Enroll OU into Control Tower via baseline resource using version "4.0" (I had to manually enroll OUs via console as this resource was not yet available. This was then imported into state)
3. Perform a CT Landing Zone upgrade to version "4.0"
4. Try to upgrade the baseline resource to version "5.0"

Debug Logging

<details open> <summary>Click to expand log output</summary>

</details>

GenAI / LLM Assisted Development

n/a

Important Facts and References

No response

Would you like to implement a fix?

No