-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM Policy Document Always Changes With Single Conditions v3.28.0 #17623
Comments
I tested 3.29 bug still exists. |
@duganth-va Thanks for submitting this issue! However, I have not been able to replicate the problem. Can you provide a minimal configuration that causes the problem? I tried these versions and this config which yielded the results below:
resource "aws_sns_topic" "test" {
name = "yaktopic"
}
resource "aws_sns_topic_policy" "test" {
arn = aws_sns_topic.test.arn
policy = data.aws_iam_policy_document.test.json
}
data "aws_iam_policy_document" "test" {
statement {
actions = [
"SNS:Subscribe",
]
condition {
test = "StringEquals"
variable = "sns:Protocol"
values = [
"https",
]
}
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [
aws_sns_topic.test.arn,
]
}
} % terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.test will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "test" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "SNS:Subscribe",
]
+ resources = [
+ (known after apply),
]
+ condition {
+ test = "StringEquals"
+ values = [
+ "https",
]
+ variable = "sns:Protocol"
}
+ principals {
+ identifiers = [
+ "*",
]
+ type = "AWS"
}
}
}
# aws_sns_topic.test will be created
+ resource "aws_sns_topic" "test" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "yaktopic"
+ policy = (known after apply)
}
# aws_sns_topic_policy.test will be created
+ resource "aws_sns_topic_policy" "test" {
+ arn = (known after apply)
+ id = (known after apply)
+ policy = (known after apply)
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_sns_topic.test: Creating...
aws_sns_topic.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
data.aws_iam_policy_document.test: Reading...
data.aws_iam_policy_document.test: Read complete after 0s [id=3683377072]
aws_sns_topic_policy.test: Creating...
aws_sns_topic_policy.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
% terraform apply
aws_sns_topic.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
aws_sns_topic_policy.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
% |
@YakDriver Sure I'll work on a minimal config. |
I've also tried with these versions:
And 3 applies this time! 👍 No diffs with the SNS config. I'm not sure how/why it would behave differently than yours. If you can find a simple way to reproduce, let me know. |
@YakDriver I cannot reproduce this issue anymore, it looks like AWS changed their policy format to include the comma now so there is no diff in the TF. While I don't know this to be the case it started working on 3.28 as well so I'm happy to close this issue. Thanks for looking into it! |
@duganth-va We recently made changes with IAM policy document so we assumed it was a related regression. Glad to hear that it's working. Please let us know if you have any other issues. I notice from your tests that you work in GovCloud. I do much of my work there so you can ping me directly with GovCloud issues. I may not be able to take them on immediately always but can at least add the GovCloud label so we can prioritize accordingly (especially IAM issues). |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v0.13.6
AWS v3.28.0
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
After apply I expect the policy document not to try to change on subsequent apply's. It appears that the
condition
block requires an array of strings and the policy document includes the brackets on this condition. After apply AWS removes the brackets however the policy document adds them resulting in parity thus terraform always wants to change the policy.Actual Behavior
Steps to Reproduce
terraform apply
terraform apply
Important Factoids
This was introduced in v3.28.0. v3.27.0 works as expected.
References
#12055
The text was updated successfully, but these errors were encountered: