Merge pull request #28863 from hashicorp/b-secretsmanager-policy-diffs

secretsmanager: Improve diffs with policies

Author: YakDriver

.changelog/28863.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_secretsmanager_secret: Improve refresh to avoid unnecessary diffs in `policy`
+```
+
+```release-note:bug
+resource/aws_secretsmanager_secret_policy: Improve refresh to avoid unnecessary diffs in `policy`
+```

internal/service/secretsmanager/secret.go

@@ -66,11 +66,12 @@ func ResourceSecret() *schema.Resource {
 				ValidateFunc:  validSecretNamePrefix,
 			},
 			"policy": {
-				Type:             schema.TypeString,
-				Optional:         true,
-				Computed:         true,
-				ValidateFunc:     validation.StringIsJSON,
-				DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs,
+				Type:                  schema.TypeString,
+				Optional:              true,
+				Computed:              true,
+				ValidateFunc:          validation.StringIsJSON,
+				DiffSuppressFunc:      verify.SuppressEquivalentPolicyDiffs,
+				DiffSuppressOnRefresh: true,
 				StateFunc: func(v interface{}) string {
 					json, _ := structure.NormalizeJsonString(v)
 					return json
@@ -203,7 +204,6 @@ func resourceSecretCreate(d *schema.ResourceData, meta interface{}) error {
 
 	if v, ok := d.GetOk("policy"); ok && v.(string) != "" && v.(string) != "{}" {
 		policy, err := structure.NormalizeJsonString(v.(string))
-
 		if err != nil {
 			return fmt.Errorf("policy (%s) is invalid JSON: %w", v.(string), err)
 		}
@@ -299,7 +299,6 @@ func resourceSecretRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("reading Secrets Manager Secret (%s) policy: %w", d.Id(), err)
 	} else if v := output.ResourcePolicy; v != nil {
 		policyToSet, err := verify.PolicyToSet(d.Get("policy").(string), aws.StringValue(v))
-
 		if err != nil {
 			return err
 		}
@@ -378,7 +377,6 @@ func resourceSecretUpdate(d *schema.ResourceData, meta interface{}) error {
 	if d.HasChange("policy") {
 		if v, ok := d.GetOk("policy"); ok && v.(string) != "" && v.(string) != "{}" {
 			policy, err := structure.NormalizeJsonString(v.(string))
-
 			if err != nil {
 				return fmt.Errorf("policy contains an invalid JSON: %w", err)
 			}

internal/service/secretsmanager/secret_policy.go

@@ -34,10 +34,11 @@ func ResourceSecretPolicy() *schema.Resource {
 				ValidateFunc: verify.ValidARN,
 			},
 			"policy": {
-				Type:             schema.TypeString,
-				Required:         true,
-				ValidateFunc:     validation.StringIsJSON,
-				DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs,
+				Type:                  schema.TypeString,
+				Required:              true,
+				ValidateFunc:          validation.StringIsJSON,
+				DiffSuppressFunc:      verify.SuppressEquivalentPolicyDiffs,
+				DiffSuppressOnRefresh: true,
 				StateFunc: func(v interface{}) string {
 					json, _ := structure.NormalizeJsonString(v)
 					return json
@@ -55,7 +56,6 @@ func resourceSecretPolicyCreate(d *schema.ResourceData, meta interface{}) error
 	conn := meta.(*conns.AWSClient).SecretsManagerConn()
 
 	policy, err := structure.NormalizeJsonString(d.Get("policy").(string))
-
 	if err != nil {
 		return fmt.Errorf("policy (%s) is invalid JSON: %w", d.Get("policy").(string), err)
 	}
@@ -125,7 +125,6 @@ func resourceSecretPolicyRead(d *schema.ResourceData, meta interface{}) error {
 
 	if output.ResourcePolicy != nil {
 		policyToSet, err := verify.PolicyToSet(d.Get("policy").(string), aws.StringValue(output.ResourcePolicy))
-
 		if err != nil {
 			return err
 		}