AWS SQS policy normalization

[chancefeick]

Apply existing normalizeJson as StateFunc to SQS policy to prevent AWS from detecting policy changes when stripping whitespace characters. Labeled as bug in #4273. Different resource, but appears to be a similar issue in #4245 as well.

[aflury]

Could we get this applied? It looks like a low-risk change...literally one line.

I'm not sure why it was marked as an enhancement. This is a bug fix. Rewriting policies based on whitespace differences in AWS JSON policies is a bug.

[rsutton1]

I'd like this to be applied as well. This would fix the bug I'm seeing right now.

[stack72]

Hi @chancefeick,

I have just ran a test on this and it doesn't seem to fix the issue:

4273 % terraform apply
aws_sqs_queue.test: Creating...
  arn:                        "" => "<computed>"
  delay_seconds:              "" => "<computed>"
  max_message_size:           "" => "<computed>"
  message_retention_seconds:  "" => "<computed>"
  name:                       "" => "test1"
  policy:                     "" => "{\"Id\":\"test\",\"Statement\":[{\"Action\":\"SQS:SendMessage\",\"Condition\":{\"DateGreaterThan\":{\"aws:CurrentTime\":\"2009-01-31T12:00Z\"},\"DateLessThan\":{\"aws:CurrentTime\":\"2009-01-31T15:00Z\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:sqs:us-west-2:881237884953:test1\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}"
  receive_wait_time_seconds:  "" => "<computed>"
  visibility_timeout_seconds: "" => "<computed>"
aws_sqs_queue.test: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

% terraform plan
Refreshing Terraform state prior to plan...

aws_sqs_queue.test: Refreshing state... (ID: https://sqs.us-west-2.amazonaws.com/881237884953/test1)

~ aws_sqs_queue.test
    policy: "{\"Version\":\"2012-10-17\",\"Id\":\"test\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"SQS:SendMessage\",\"Resource\":\"arn:aws:sqs:us-west-2:881237884953:test1\",\"Condition\":{\"DateLessThan\":{\"aws:CurrentTime\":\"2009-01-31T15:00Z\"},\"DateGreaterThan\":{\"aws:CurrentTime\":\"2009-01-31T12:00Z\"}}}]}" => "{\"Id\":\"test\",\"Statement\":[{\"Action\":\"SQS:SendMessage\",\"Condition\":{\"DateGreaterThan\":{\"aws:CurrentTime\":\"2009-01-31T12:00Z\"},\"DateLessThan\":{\"aws:CurrentTime\":\"2009-01-31T15:00Z\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:sqs:us-west-2:881237884953:test1\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}"


Plan: 0 to add, 1 to change, 0 to destroy.

The code I used to test was as follows:

provider "aws" {}

resource "aws_sqs_queue" "test" {
  name = "test1"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Id": "test",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": "SQS:SendMessage",
            "Resource": "arn:aws:sqs:us-west-2:881237884953:test1",
            "Condition" : {
             "DateGreaterThan" : {
                "aws:CurrentTime":"2009-01-31T12:00Z"
             },
             "DateLessThan" : {
                "aws:CurrentTime":"2009-01-31T15:00Z"
             }
          }
        }
    ]
}
EOF
}

Did you manage to test this change?

[jgross206]

This seems to have been handled in #5888, this PR can probably be closed

[stack72]

This has been merged in #5888 so this can now be closed

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.