aws.IntegrationAccount always updates if accountTags is omitted

[spock-abadai]

Describe what happened

When configuring an AWS IntegrationAccount resource without specifying the accountTags argument, the resource is updated on every pulumi up, but the default preview details does not indicate what changed. A preview with a JSON diff reveals that the reason is that the old state contains accountTags: [] (presumably filled as a default when omitting the argument), but the new state omits the accountTags.

Sample program

const datadogIntegrationAWS = new datadog.aws.IntegrationAccount("datadog-aws-account", {
    awsAccountId: accountId,
    awsPartition: "aws",
    authConfig: {
      awsAuthConfigRole: {
        roleName: "DatadogIntegrationRole",
      }
    },
    awsRegions: {
      includeOnlies: ["us-east-1"]
    },
    logsConfig: {
      lambdaForwarder: {},
    },
    metricsConfig: {
      enabled: true,
      namespaceFilters: {}
    },
    resourcesConfig: {
      cloudSecurityPostureManagementCollection: false,
      extendedCollection: true,
    },
    tracesConfig: {
      xrayServices: {}
    }
  });

Log output

No response

Affected Resource(s)

datadog.aws.IntegrationAccount

Output of pulumi about

CLI          
Version      3.147.0
Go Version   go1.23.5
Go Compiler  gc

Plugins
KIND      NAME    VERSION
language  nodejs  3.147.0

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/home/<redacted>/.nvm/versions/node/v18.18.0/bin/node' version='v18.18.0'

Current Stack: infra-aws-datadog/common

TYPE                                               URN
pulumi:pulumi:Stack                                urn:pulumi:common::infra-aws-datadog::pulumi:pulumi:Stack::infra-aws-datadog-common
pulumi:providers:datadog                           urn:pulumi:common::infra-aws-datadog::pulumi:providers:datadog::default_4_41_0
datadog:aws/integrationAccount:IntegrationAccount  urn:pulumi:common::infra-aws-datadog::datadog:aws/integrationAccount:IntegrationAccount::datadog-aws-account

Found no pending operations associated with common

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/<redacted>
User           <redacted>
Organizations  <redacted>
Token type     personal

Dependencies:
NAME  VERSION

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

Hi @spock-abadai - thank you for letting us know about this. Thank you also for the easy repro instructions!

I have verified that this reproduces for us.

I have additionally verified that this does not reproduce in Terraform. This is a bug in Pulumi; likely how defaults get propagated.

Additionally, if you pass an empty accountTags to your pulumi config, the permadiff goes away. For now, please use this as a workaround while we figure out a thorough fix!