Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Perpetual diffs with aws_iam_role assume_role_policy and Statement.Condition #28835

Closed
YakDriver opened this issue Jan 11, 2023 · 3 comments · Fixed by #28836
Closed

[Bug]: Perpetual diffs with aws_iam_role assume_role_policy and Statement.Condition #28835

YakDriver opened this issue Jan 11, 2023 · 3 comments · Fixed by #28836
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Milestone
v4.50.0

Comments

@YakDriver
Copy link
Member

YakDriver commented Jan 11, 2023
edited
Loading

Originally submitted as #23288 (comment) by @cshen-confluent.

Terraform Core Version

1.2.3

AWS Provider Version

4.21.0

Affected Resource(s)

  • aws_iam_role

Expected Behavior

Creates and refreshes without changes

Actual Behavior

Role will be updated in-place.

Some information redacted.

I just added a blank line in code and this update plan will be generated among a lot other similar ones, and apply them won't make any actual change. Add another blank line will trigger the same plan.
We did some work to pinpoint the issue on Condition.IpAddress that if we don't put anything there it is fine.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_iam_role" "test" {
  name = "dance-hall-days"
  id.  = "dance-hall-days"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRoleWithSAML"
      Condition = {
        IpAddress = {
          "aws:SourceIp" = [
            "0.0.0.0/0",
          ]
        }
        StringEquals = {
          "SAML:aud" = "https://signin.aws.amazon.com/saml"
        }
      }
      Principal = {
        Federated = "arn:aws:iam::000000000000:saml-provider/provider"
      }
      Effect = "Allow"
      Sid    = ""
    }]
  })
}

Steps to Reproduce

  1. terraform apply
  2. terraform apply

Debug Output

  # module.aws_iam_role.some_user_role will be updated in-place
~ resource "aws_iam_role" "some_user_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRoleWithSAML"
                      - Condition = {
                          - IpAddress    = {
                              - aws:SourceIp = [
                                  - "0.0.0.0/0",
                                ]
                            }
                          - StringEquals = {
                              - SAML:aud = "https://signin.aws.amazon.com/saml"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Federated = "arn:aws:iam::000000000000:saml-provider/provider"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "administrator"
        name                  = "administrator"
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Panic Output

No response

Important Factoids

No response

References

Would you like to implement a fix?

None
@YakDriver YakDriver added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Jan 11, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/iam Issues and PRs that pertain to the iam service. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 11, 2023
@YakDriver YakDriver mentioned this issue Jan 11, 2023
Merged
@github-actions github-actions bot added this to the v4.50.0 milestone Jan 12, 2023
@github-actions
Copy link

This functionality has been released in v4.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
v4.50.0
Development

Successfully merging a pull request may close this issue.

iam: Improve policy diff handling hashicorp/terraform-provider-aws
1 participant
@YakDriver