aws_iam_policy_document orders actions anti-alphabetically

[hubertgrzeskowiak]

When describing an IAM policy document in HCL using the data statement, the entries are sorted from Z to A. If you happen to sort normally sort things alphabetically, this will cause confusion and diffs in plans.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.39.0

Affected Resource(s)

• aws_iam_policy_document

Terraform Configuration Files

data "aws_iam_policy_document" "policy_doc" {
  statement {
    actions = [
      "autoscaling:Describe*",
      "cloudwatch:Describe*",
      "cloudwatch:Get*",
      "cloudwatch:List*",
      ...
      "sqs:GetQueueAttributes",
      "sqs:ListQueues",
      "sqs:ReceiveMessage",
      "tag:GetResources"
    ]
    effect = "Allow"
    resources = ["*"]
  }
}

output "user_policy_json" {
  value = "${data.aws_iam_policy_document.policy_doc.json}"
}

Expected Behavior

Actions sorted alphabetically.

user_policy_json = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
       ...
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "tag:GetResources"
      ],
      "Resource": "*"
    }
  ]
}

Actual Behavior

Actions sorted reverse alphabetically.

user_policy_json = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources",
        "sqs:ReceiveMessage",
        "sqs:ListQueues",
        "sqs:GetQueueAttributes",
       ...
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "cloudwatch:Describe*",
        "autoscaling:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

Steps to Reproduce

1. terraform refresh

[2rs2ts]

Possibly related, we're seeing our list of actions that isn't sorted in any particular manner in our configuration being sorted, but alphabetically (the opposite ordering of your example)

[nitrocode]

Similar to this issue hashicorp/terraform#22931

I'm seeing this issue too with aws_iam_policy_document with aws_kms_key. The data source iam policy seems to preserve the reverse order but the kms key resource seems to impose a random order within the policy.

[handlerbot]

My read is close this in favor of #11801?

[elkh510]

hi
any updates here?

[YakDriver]

@handlerbot I do not think this should be closed in favor of #11801 since that has the broader idea of order verses specifically the anti-alphabetical here.

ALL: I would love to hear thoughts on whether switching the order would be a breaking change in any situations?

[jorhett]

Of note, the data source retains the original order -- it's being reversed in the json output only.