Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM Policy Document Always Changes With Single Conditions v3.28.0 #17623

Closed
duganth-va opened this issue Feb 15, 2021 · 7 comments
Closed

IAM Policy Document Always Changes With Single Conditions v3.28.0 #17623

duganth-va opened this issue Feb 15, 2021 · 7 comments
Assignees
Labels
partition/aws-us-gov Pertains to the aws-us-gov partition. service/iam Issues and PRs that pertain to the iam service.
Milestone

Comments

@duganth-va
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.6
AWS v3.28.0

Affected Resource(s)

  • data "aws_iam_policy_document"

Terraform Configuration Files

provider "aws" {
  region = "us-gov-west-1"
}

variable "vpc_id" {}
variable "subnet_ids" {}

resource "aws_security_group" "ecs_efs_sg" {
  name        = "ecs-efs-sg"
  description = "Allow ecs efs outbound traffic"
  vpc_id      = var.vpc_id
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

module "efs" {
  source          = "github.com/cloudposse/terraform-aws-efs.git?ref=0.22.0"
  name            = "efs"
  region          = "us-gov-west-1"
  vpc_id          = var.vpc_id
  subnets         = var.subnet_ids
  security_groups = [aws_security_group.ecs_efs_sg.id]
  encrypted       = true
}

resource "aws_efs_access_point" "efs" {
  file_system_id = module.efs.id
  root_directory {
    path = "/etc"
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = 755
    }
  }
}

# Assume Role Policy
data "aws_iam_policy_document" "ecs_efs_assume_role_policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "ecs_efs_task_role" {
  name               = "ecs-efs-task-role"
  assume_role_policy = data.aws_iam_policy_document.ecs_efs_assume_role_policy.json
}

data "aws_iam_policy_document" "efs_policy" {
  statement {
    effect = "Allow"

    actions = [
      "elasticfilesystem:ClientMount"
    ]

    resources = [module.efs.arn]
    principals {
      type = "AWS"
      identifiers = [
        aws_iam_role.ecs_efs_task_role.arn
      ]
    }
    condition {
      test     = "StringEquals"
      variable = "elasticfilesystem:AccessPointArn"
      values = [
        aws_efs_access_point.efs.arn,
      ]
    }
  }
}

resource "aws_efs_file_system_policy" "efs_policy" {
  file_system_id = module.efs.id
  policy         = data.aws_iam_policy_document.efs_policy.json
}

Expected Behavior

After apply I expect the policy document not to try to change on subsequent apply's. It appears that the condition block requires an array of strings and the policy document includes the brackets on this condition. After apply AWS removes the brackets however the policy document adds them resulting in parity thus terraform always wants to change the policy.

Actual Behavior

      ~ policy         = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = "elasticfilesystem:ClientMount"
                      ~ Condition = {
                          ~ StringEquals = {
                              ~ elasticfilesystem:AccessPointArn = "arn:aws-us-gov:elasticfilesystem:us-gov-west-1:<redacted>:access-point/fsap-0c4edfeacf107a78a" -> [
                                  + "arn:aws-us-gov:elasticfilesystem:us-gov-west-1:<redacted>:access-point/fsap-0c4edfeacf107a78a",

Steps to Reproduce

  1. terraform apply
  2. terraform apply

Important Factoids

This was introduced in v3.28.0. v3.27.0 works as expected.

References

#12055

@ghost ghost added service/ec2 Issues and PRs that pertain to the ec2 service. service/efs Issues and PRs that pertain to the efs service. service/iam Issues and PRs that pertain to the iam service. labels Feb 15, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 15, 2021
@bflad bflad added bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. service/ec2 Issues and PRs that pertain to the ec2 service. service/efs Issues and PRs that pertain to the efs service. labels Feb 19, 2021
@duganth-va
Copy link
Author

I tested 3.29 bug still exists.

@YakDriver YakDriver self-assigned this Feb 22, 2021
@YakDriver YakDriver added the partition/aws-us-gov Pertains to the aws-us-gov partition. label Feb 22, 2021
@YakDriver
Copy link
Member

YakDriver commented Feb 22, 2021

@duganth-va Thanks for submitting this issue! However, I have not been able to replicate the problem. Can you provide a minimal configuration that causes the problem?

I tried these versions and this config which yielded the results below:

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/aws v3.29.0
resource "aws_sns_topic" "test" {
  name = "yaktopic"
}

resource "aws_sns_topic_policy" "test" {
  arn    = aws_sns_topic.test.arn
  policy = data.aws_iam_policy_document.test.json
}

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "SNS:Subscribe",
    ]

    condition {
      test     = "StringEquals"
      variable = "sns:Protocol"

      values = [
        "https",
      ]
    }

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    resources = [
      aws_sns_topic.test.arn,
    ]
  }
}
% terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.test will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "test"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "SNS:Subscribe",
            ]
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "https",
                ]
              + variable = "sns:Protocol"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_sns_topic.test will be created
  + resource "aws_sns_topic" "test" {
      + arn    = (known after apply)
      + id     = (known after apply)
      + name   = "yaktopic"
      + policy = (known after apply)
    }

  # aws_sns_topic_policy.test will be created
  + resource "aws_sns_topic_policy" "test" {
      + arn    = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_sns_topic.test: Creating...
aws_sns_topic.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
data.aws_iam_policy_document.test: Reading...
data.aws_iam_policy_document.test: Read complete after 0s [id=3683377072]
aws_sns_topic_policy.test: Creating...
aws_sns_topic_policy.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
% terraform apply
aws_sns_topic.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
aws_sns_topic_policy.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
%

@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Feb 22, 2021
@duganth-va
Copy link
Author

duganth-va commented Feb 22, 2021

@YakDriver Sure I'll work on a minimal config. In the meantime it might help if you apply twice thats when the problem occurs!
Edit: I missed you applied twice hmm ok let me check if 3.29 did fix it 😓

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Feb 22, 2021
@YakDriver
Copy link
Member

I've also tried with these versions:

Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/aws v3.29.0

And 3 applies this time! 👍

No diffs with the SNS config. I'm not sure how/why it would behave differently than yours. If you can find a simple way to reproduce, let me know.

@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Feb 22, 2021
@duganth-va
Copy link
Author

@YakDriver I cannot reproduce this issue anymore, it looks like AWS changed their policy format to include the comma now so there is no diff in the TF. While I don't know this to be the case it started working on 3.28 as well so I'm happy to close this issue. Thanks for looking into it!

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Feb 22, 2021
@YakDriver
Copy link
Member

@duganth-va We recently made changes with IAM policy document so we assumed it was a related regression. Glad to hear that it's working. Please let us know if you have any other issues. I notice from your tests that you work in GovCloud. I do much of my work there so you can ping me directly with GovCloud issues. I may not be able to take them on immediately always but can at least add the GovCloud label so we can prioritize accordingly (especially IAM issues).

@YakDriver YakDriver removed bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. labels Feb 23, 2021
@YakDriver YakDriver added this to the v3.29.1 milestone Feb 23, 2021
@ghost
Copy link

ghost commented Mar 25, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Mar 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
partition/aws-us-gov Pertains to the aws-us-gov partition. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Development

No branches or pull requests

3 participants