terraform plan wants to modify api_gateway resource policy unnecessarily

[ghost]

This issue was originally opened by @ypz as hashicorp/terraform#26541. It was migrated here as a result of the provider split. The original body of the issue is below.

---

I created an apigateway with a resource policy using following code. Once created, subsequent 'terraform plan' still wants to modify the apigateway due to some policy changes:

data "aws_iam_policy_document" "resource_policy_doc" {
  statement {
    actions = [ "execute-api:Invoke" ]
    principals {
      identifiers = [ "*" ]
      type = "AWS"
    }
    resources = [ "execute-api:/*" ]
  }
}

resource "aws_api_gateway_rest_api" "apigateway" {
  name        = "my_api_gateway"

  policy  = data.aws_iam_policy_document.resource_policy_doc.json
}

Here is the output from "terraform plan" command:

  # aws_api_gateway_rest_api.apigateway will be updated in-place
  ~ resource "aws_api_gateway_rest_api" "apigateway" {
        api_key_source           = "HEADER"
        arn                      = "arn:aws:apigateway:us-west-2::/restapis/96seugwcwj"
        binary_media_types       = []
        created_date             = "2020-10-09T01:55:29Z"
        execution_arn            = "arn:aws:execute-api:us-west-2:SOME_ACCT_ID:96seugwcwj"
        id                       = "96seugwcwj"
        minimum_compression_size = -1
        name                     = "my_api_gateway"
      ~ policy                   = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = "execute-api:Invoke"
                        Effect    = "Allow"
                        Principal = {
                            AWS = "*"
                        }
                      ~ Resource  = "arn:aws:execute-api:us-west-2:SOME_ACCT_ID:96seugwcwj/*" -> "execute-api:/*"
                        Sid       = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        root_resource_id         = "7802l0rm35"
        tags                     = {}

        endpoint_configuration {
            types            = [
                "EDGE",
            ]
            vpc_endpoint_ids = []
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The root cause seems to be that the resource string "execute-api:/*" given in the configure file has been replaced with the actual apigateway's execute_arn in the applied policy to the apigateway in the states file. This replacement is seen as a configure change by "terraform plan" and therefore it wants to modify the apigatway unnecessarily.

Expected behavior: terraform plan should not suggest such unnecessary modification to apigateway

[ewbankkit]

@ypz Thanks for raising this issue.
It has already been noticed in #5549. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

[ypz]

HI, Kit: I have looked at both issues #5549 and #15602 which were closed years ago and don't seem to be related with the issue I was reporting at all and I am using Terraform 0.13.4. Would you mind review my original report again to make sure it is properly triaged and tracked accordingly? Thanks Yiping

…

On Tue, Oct 13, 2020 at 8:21 AM Kit Ewbank ***@***.***> wrote: Closed #15602 <#15602> . — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#15602 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZF547I3UFAYLFRYHR3QUDSKRV7VANCNFSM4SM556IA> .

[theherk]

This does seem to still be an issue. It is related to #5549, where it was claimed that using the new resource aws_api_gateway_rest_api_policy in lieu or the policy parameter on aws_api_gateway_rest_api would resolve the issue. It doesn't seem resolve it. I have removed policy from my aws_api_gateway_rest_api. and instead added aws_api_gateway_rest_api_policy, but I still get the same output:

Terraform will perform the following actions:

  # module.ccp.module.api_proxy.aws_api_gateway_rest_api_policy.this will be updated in-place
  ~ resource "aws_api_gateway_rest_api_policy" "this" {
        id          = "xxxxxxxxxx"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource  = "arn:aws:execute-api:eu-west-1:nnnnnnnnnnnn:xxxxxxxxxx/*/*/*" -> "execute-api:/*/*/*"
                        # (4 unchanged elements hidden)
                    },
                  ~ {
                      ~ Resource  = "arn:aws:execute-api:eu-west-1:nnnnnnnnnnnn:xxxxxxxxxx/*/*/*" -> "execute-api:/*/*/*"
                        # (5 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

➜  dev (master) ✗ terraform version
Terraform v0.14.4
+ provider registry.terraform.io/hashicorp/aws v3.29.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

[theherk]

It is slightly troubling perfectly reasonable that #5549 was closed with the issue absolutely not resolved. It continues to be an issue right up to present, and if you follow the breadcrumbs from that issue both @bflad and @sergei-ivanov seem to indicate this is resolved. One option would be to implement the triggers keyword here so that we could do something like:

resource "aws_api_gateway_rest_api_policy" "this" {
  rest_api_id = aws_api_gateway_rest_api.this.id
  policy      = data.aws_iam_policy_document.this.json

  triggers = {
    redeployment = sha1(data.aws_iam_policy_document.this.json)
  }

  lifecycle {
    ignore_changes = [policy]
  }
}

In this way, I think we'd avoid changes to the policy unless the source of that policy actually changed.

[sergei-ivanov]

The solution is to use a full ARN of the API gateway in the policy document. Previously it was not possible, because it would have created a dependency cycle. With a separate aws_api_gateway_rest_api_policy resource it's no longer a problem.
So in case of @theherk the aws_iam_policy_document should contain something like:

  resources = ["${aws_api_gateway_rest_api.this.arn}/*/*/*"]

instead of:

  resources = ["execute-api:/*/*/*"]

[theherk]

Outstanding. It wasn't clear to me at all from reading the other linked issue. Thank you for spelling it out for me in black and white. I have implemented this and verified it works precisely as you suggest.

[theherk]

For posterity, in case anybody shows up here down the line, this should be:

resources = ["${aws_api_gateway_rest_api.this.execution_arn}/*/*/*"]

if you want to control callers that can invoke the api. The regular arn yields the arn:aws:apigateway:... which is for controlling which callers can modify the api configuration, not call it which user the arn:aws:execute-api:... arn.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.