We’re working on rebuilding our Quicksight environment in a fresh AWS account. This means creating a Quicksight Account with Terraform.
The AWS TF provider does this for us, but we’re running into an issue where nearly any update to Quicksight resources within the account triggers Terraform to destroy and rebuild the entire account.
I understand that --some-- API calls can trigger this behavior.
For example, if deploying the Quicksight account to use the IAM Identity Center, any changes to groups or users assigned to Quicksight’s roles (ADMIN, AUTHOR, READER, etc…) will trigger a destroy and recreation of the account. This is because the AWS TF provider cannot make an API call to read what the existing groups are.
But this results in this behavior when doing other small changes, like simply creating a folder within Quicksight.
This is made difficult because the Quicksight account protects itself from removal by default. Before every Terraform Apply, we have to log into the Quicksight admin console, and manually flip the switch to disable the account removal protection.
I’m thinking that we will have to create the initial Quicksight account configuration in one Terraform configuration (read : code repo), and then do all the rest of our work within Quicksight in a separate Terraform configuration (read : code repo).
Any other thoughts from the community? Any word to or from the developers of the AWS TF provider?