aws_db_instance: false positive not being covered by IaC

[syphernl]

Description

I am currently testing driftctl on our pipelines. In the project I am running it on, it claims that our aws_db_instance is not covered by IaC.
This seems to be a false positive, as it is created and managed by Terraform.

Environment

• OS: Ubuntu / Alpine
• driftctl version: v0.39.0
• terraform version: v1.5.6
• terraform providers versions:
  • provider registry.terraform.io/cloudposse/awsutils v0.18.1
  • provider registry.terraform.io/gitlabhq/gitlab v16.3.0
  • provider registry.terraform.io/hashicorp/aws v5.15.0
  • provider registry.terraform.io/hashicorp/local v2.4.0
  • provider registry.terraform.io/hashicorp/null v3.2.1
  • provider registry.terraform.io/hashicorp/random v3.5.1
  • provider registry.terraform.io/hashicorp/time v0.9.1
  • provider registry.terraform.io/jianyuan/sentry v0.11.2

Running driftctl scan --only-unmanaged results in:

Found resources not covered by IaC:
  aws_db_instance:
    - my-demo-db

However, it is part of the tfstate that is being parsed by driftctl:

    {
      "module": "module.rds_postgres_db",
      "mode": "managed",
      "type": "aws_db_instance",
      "name": "default",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "index_key": 0,
          "schema_version": 2,
          "attributes": {
            "address": "my-demo-db.xxxxxxxxxxxxxx.xxxxxxxxxxxxxx.rds.amazonaws.com",
            "allocated_storage": 21,
            "allow_major_version_upgrade": true,
            "apply_immediately": true,
            "arn": "arn:aws:rds:xxxxxxxxxxxxxx:xxxxxxxxxxxxx",
            "auto_minor_version_upgrade": true,
            "availability_zone": "xxxxxxxxxxxxxxb",
            "backup_retention_period": 7,
            "backup_target": "region",
            "backup_window": "22:00-03:00",
            "blue_green_update": [],
            "ca_cert_identifier": "rds-ca-2019",
            "character_set_name": "",
            "copy_tags_to_snapshot": true,
            "custom_iam_instance_profile": "",
            "customer_owned_ip_enabled": false,
            "db_name": "xxxxxxxxx",
            "db_subnet_group_name": "my-demo-db",
            "delete_automated_backups": true,
            "deletion_protection": true,
            "domain": "",
            "domain_iam_role_name": "",
            "enabled_cloudwatch_logs_exports": [
              "postgresql",
              "upgrade"
            ],
            "endpoint": "my-demo-db.xxxxxxxxxxxxxx.xxxxxxxxxxxxxx.rds.amazonaws.com:5432",
            "engine": "postgres",
            "engine_version": "15.3",
            "engine_version_actual": "15.3",
            "final_snapshot_identifier": "my-demo-db-final-snapshot",
            "hosted_zone_id": "XXXXXXXXXXXXXXX",
            "iam_database_authentication_enabled": false,
            "id": "db-XXXXXXXXXXXXXXX",
            "identifier": "my-demo-db",
            "identifier_prefix": "",
            "instance_class": "db.t4g.small",
            "iops": 3000,
            "kms_key_id": "arn:aws:kms:xxxxxxxxxxxxxx:xxxxxxxxx:key/xxxxxx-xxxxxxx-xxxxxxxxx",
            "latest_restorable_time": "2023-09-04T12:09:30Z",
            "license_model": "postgresql-license",
            "listener_endpoint": [],
            "maintenance_window": "mon:03:00-mon:04:00",
            "manage_master_user_password": null,
            "master_user_secret": [],
            "master_user_secret_kms_key_id": null,
            "max_allocated_storage": 50,
            "monitoring_interval": 0,
            "monitoring_role_arn": "",
            "multi_az": false,
            "nchar_character_set_name": "",
            "network_type": "IPV4",
            "option_group_name": "my-demo-db-20230809074118965400000001",
            "parameter_group_name": "my-demo-db-20230809074118974000000002",
            "password": "xxxxxxxxxxxxxxxxxxxxxx",
            "performance_insights_enabled": false,
            "performance_insights_kms_key_id": "",
            "performance_insights_retention_period": 0,
            "port": 5432,
            "publicly_accessible": false,
            "replica_mode": "",
            "replicas": [],
            "replicate_source_db": "",
            "resource_id": "db-xxxxxxxxxxxxxxxxxx",
            "restore_to_point_in_time": [],
            "s3_import": [],
            "skip_final_snapshot": false,
            "snapshot_identifier": "",
            "status": "available",
            "storage_encrypted": true,
            "storage_throughput": 125,
            "storage_type": "gp3",
            "tags": {
              "Name": "my-demo-db",
              "Namespace": "my",
              "Stage": "demo"
            },
            "tags_all": {
              "Name": "my-demo-db",
              "Namespace": "my",
              "Stage": "demo"
            },
            "timeouts": {
              "create": "40m",
              "delete": "60m",
              "update": "80m"
            },
            "timezone": "",
            "username": "xxxxxxxxxxxxx",
            "vpc_security_group_ids": [
              "sg-xxxxxxxxxxxxx"
            ]
          },
          "sensitive_attributes": [],
          "private": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
          "dependencies": [
            "data.aws_availability_zones.available",
            "module.dynamic_subnets.aws_subnet.private",
            "module.dynamic_subnets.data.aws_availability_zones.default",
            "module.dynamic_subnets.data.aws_vpc.default",
            "module.kms_rds_key.aws_kms_key.default",
            "module.rds_postgres_db.aws_db_option_group.default",
            "module.rds_postgres_db.aws_db_parameter_group.default",
            "module.rds_postgres_db.aws_db_subnet_group.default",
            "module.rds_postgres_db.aws_security_group.default",
            "module.vpc.aws_vpc.default",
            "random_string.rds_password"
          ]
        }
      ]
    },

How to reproduce

module "rds_postgres_db" {
  source    = "git::https://github.com/cloudposse/terraform-aws-rds.git?ref=0.43.0"
  namespace = "my"
  stage     = "demo"
  name      = "db"

  # Instance config
  instance_class          = "db.t4g.small"
  storage_type            = "gp3"
  allocated_storage       = 20

  # Database Engine config
  engine                      = "postgres"
  engine_version              = "15.3"
  db_parameter_group          = "postgres15"
  allow_major_version_upgrade = true
  apply_immediately           = true

  # Network config
  vpc_id            = vpc-1234567
  subnet_ids        = [...]
  database_name     = "demo"
  database_user     = "demo"
  database_password = "random"
}

Possible Solution

Additional context