Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access_policies for aws show up as changed in plan #4843

Closed
dcosson opened this issue Jan 26, 2016 · 3 comments
Closed

access_policies for aws show up as changed in plan #4843

dcosson opened this issue Jan 26, 2016 · 3 comments
Labels
bug provider/aws

Comments

@dcosson
Copy link
Contributor

dcosson commented Jan 26, 2016

I created an aws_elasticsearch_domain with an access policy similar to the way it's specified in the docs. It has the following line:

 "IpAddress": {"aws:SourceIp": ["66.193.100.22/32"]}

Note how there's a list of one item. This is valid syntax for an aws policy, but it causes terraform to think there's a diff when you apply and then immediately run plan again. Presumably aws is returning it with the syntax without a list and terraform is just comparing the json objects. This one isn't necessarily a bug, just kind of a gotcha to know not to use lists of one item in policies in terraform.

There's also a second similar problem - although you don't have to specify the Resource key in the access policy because aws knows it's the resource being created, but aws then returns the access policy with the Resource key when you query for it. This one seems like more of a bug, it's not ideal to have to manually write out the arn policy for the instance you're creating, terraform should be able to do it for you.

So, to get this not to show up as a diff, I have to change the syntax to never use lists of one item and also specify my own Resource key (the value of which is "${self.arn}/*" although of course I have to hard-code it because I can't access a self output variables like this).

I would expect this is an issue anywhere you can pass in a string/heredoc access_policy and not just in elasticsearch, but I haven't confirmed it anywhere else.
@tj
Copy link

tj commented Jan 27, 2016

👍 especially since ES takes forever to reconfigure this is pretty annoying

@radeksimko
Copy link
Member

Thanks for the report, I'll close this as a duplicate of #3634

Reopen if you think otherwise.

Generally speaking I'm hoping to hammer all of these IAM policy issues which are popping up all over the place via aws/aws-sdk-go#127

Until then, it's quite difficult to solve this issue elegantly. 😢

@ghost
Copy link

ghost commented Apr 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tj @phinze @radeksimko @dcosson