AssumeRolePolicy seems to be incorrectly normalized, resulting in re-planning for "whitespace changes"

[orf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_iam_policy_document

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

I have the following resources:

data "aws_iam_policy_document" "instance-assume-role-policy" {
  statement {
    sid = "aws"

    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }

    principals {
      type        = "AWS"
      identifiers = ["something"]
    }

    condition {
      test     = "StringLike"
      variable = "sts:RoleSessionName"
      values   = ["????????-????-????-????-????????????"]
    }
  }

  statement {
    sid = "eks"

    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = ["secret"]
    }
    condition {
      test     = "StringLike"
      variable = "oidc.eks.eu-west-1.amazonaws.com/id/x:sub"
      values   = ["system:serviceaccount:x:foo"]
    }

    condition {
      test     = "StringLike"
      variable = "sts:RoleSessionName"
      values   = ["????????-????-????-????-????????????"]
    }
  }
}

resource "aws_iam_role" "dask_role" {
  name = "dask-${local.service_account_name}"
  assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}

Debug Output

Running with TF_LOG=trace shows that the ordering of the conditions returned from IAM are different:

Retrieved from IAM:

{"Version": "2012-10-17",
 "Statement": [{"Sid": "aws",
   "Effect": "Allow",
   "Principal": {"Service": "ecs-tasks.amazonaws.com",
    "AWS": "x"},
   "Action": "sts:AssumeRole",
   "Condition": {"StringLike": {"sts:RoleSessionName": "????????-????-????-????-????????????"}}},
  {"Sid": "eks",
   "Effect": "Allow",
   "Principal": {"Federated": "x"},
   "Action": "sts:AssumeRoleWithWebIdentity",
   "Condition": {"StringLike": {"sts:RoleSessionName": "????????-????-????-????-????????????", 
      "oidc.eks.eu-west-1.amazonaws.com/id/x:sub": "system:serviceaccount:prefect:x"}}]}

But stored in the statefile:

{"Version": "2012-10-17",
 "Statement": [{"Sid": "aws",
   "Effect": "Allow",
   "Principal": {"Service": "ecs-tasks.amazonaws.com",
    "AWS": "x"},
   "Action": "sts:AssumeRole",
   "Condition": {"StringLike": {"sts:RoleSessionName": "????????-????-????-????-????????????"}}},
  {"Sid": "eks",
   "Effect": "Allow",
   "Principal": {"Federated": "x"},
   "Action": "sts:AssumeRoleWithWebIdentity",
   "Condition": {"StringLike": {"oidc.eks.eu-west-1.amazonaws.com/id/x:sub": "system:serviceaccount:prefect:x",
     "sts:RoleSessionName": "????????-????-????-????-????????????"}}}]}

As you can see, the second statements conditionals have flipped in order. This causes constant re-plans.

Expected Behavior

Re-plans should not happen.

Actual Behavior

Re-plans happen

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[orf]

To work around this I changed the second part of the policy to look like this:

    condition {
      test     = "StringEquals"
      variable = "oidc.eks.eu-west-1.amazonaws.com/id/x:sub"
      values   = ["system:serviceaccount:x:foo"]
    }

However it would still try to re-plan, now because the order of the principals in the first statement has differed from what is returned by IAM.

[danopia]

I think I'm seeing a similar symptom with EKS pod identity; is this the false change output that you see?

                     ~ Condition = {
                          ~ StringEquals = {
                              ~ container.googleapis.com/v1/projects/xx/locations/xx/clusters/playground:aud = "sts.amazonaws.com" -> [
                                  + "sts.amazonaws.com",
                                ]
                            }
                          ~ StringLike   = {
                              ~ container.googleapis.com/v1/projects/xx/locations/xx/clusters/playground:sub = "system:serviceaccount:yy:zz*" -> [
                                  + "system:serviceaccount:yy:zz*",
                                ]
                            }
                        }

[apichaya-s]

For me, the issue occurred whenever I have 2 conditions no matter which condition come first. It will not detect any change if I have only one condition.

I tried with these solutions and cannot solve the issue

• aws_iam_policy_document data
• templatefile()
• multi-line string
• one-line string

resource "aws_iam_role" "role" {
      ~ assume_role_policy    = jsonencode( # whitespace changes
            {
                Statement = [
                    {
                        Action    = "sts:AssumeRoleWithWebIdentity"
                        Condition = {
                            StringEquals = {
                                oidc.eks.ap-southeast-1.amazonaws.com/id/x:aud = "sts.amazonaws.com"
                                oidc.eks.ap-southeast-1.amazonaws.com/id/x:sub = "y"
                            }
                        }
                   ...
                  }
             ]
         }
    }

[Lethgir]

It seems this issue should have been fixed regarding #11801 with 3.70.0 provider version. However, I still encounter the issue on my end, the order of the statements is still reordered.

Maybe @YakDriver can give us more insights?

[jack-parsons-bjss]

We have exactly this problem with 3.70.0 as well, except it looks like the state file is storing two spaces and the API is returning four spaces when it comes to the indentation of the policies. We have 392 of these whitespace changes on every plan, which makes the plans themselves not very helpful.

[ddollar]

This is definitely still happening. I get a whitespace-only change in my state on every apply.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.43.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.