Terraform-provider-aws: SNS/SQS policy is being rebuilt every time

Created on 13 Jun 2017  ·  4Comments  ·  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @FransUrbo as hashicorp/terraform#13972. It was migrated here as part of the provider split. The original body of the issue is below._

I'm having my aws_sns_topic_policy and aws_sqs_queue_policy rebuilt every time TF runs.

Terraform Version

0.9.1

Affected Resource(s)

  • aws_sns_topic_policy
  • aws_sqs_queue_policy

Terraform Configuration Files

resource "aws_sns_topic_policy" "instances-access" {
  arn                         = "${aws_sns_topic.instances-access.arn}"

  policy                      = <<SNS_INSTANCES_ACCESS_POLICY
{
  "Version": "2012-10-17",
  "Statement":[
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Principal": {
        "AWS": [
          "111222333444",
          "555666777888"
        ]
      },
      "Resource": "${aws_sns_topic.instances-access.arn}"
    }
  ]
}
SNS_INSTANCES_ACCESS_POLICY
}

Expected Behavior

Not being rebuilt, there's no change.

Actual Behavior

Rebuilt every time.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Solution

This might be a documentation issue only, but the correct format for the Principal is:

      "Principal": {
        "AWS": [
          "arn:aws:iam::111222333444:root",
          "arn:aws:iam::555666777888:root"
        ]
      },

The correct fix would off course be to have TF recognise this and not rebuild the resource if it's ACCOUNT_ID and not arn:aws:iam::ACCOUNT_ID:root.

bug servicsns servicsqs
Source
picture hashibot

Most helpful comment

Hi folks! 👋 This issue was marked to close in #3832 due to a dependency update to an upstream library we use to compare the equivalence of two IAM policies: https://github.com/jen20/awspolicyequivalence/. The updated library should now treat account ID 123456789012 principals as equivalent to IAM account root ARNs arn:PARTITION:iam::123456789012:root. You can see some examples of what will now match in the upstream library unit testing:

https://github.com/jen20/awspolicyequivalence/blob/9fbcaca9f9f868b9560463d0790aae33b2322945/aws_policy_equivalence_test.go#L1076-L1200

This update will be released in v1.12.0 of the AWS provider, which we expect to release later this week.

I apologize this may not cover all IAM policy equivalence issues, but please do consider opening new Github issues in the https://github.com/terraform-providers/terraform-provider-aws/ or https://github.com/jen20/awspolicyequivalence/ for other specific examples that show as inequivalent.

picture bflad on 20 Mar 2018
1 👍1

All 4 comments

The following resource is also being rebuilt each time.

resource "aws_sqs_queue_policy" "policy" {
  queue_url = "${var.sqs_queue_id}"
  policy = <<POLICY
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "${var.sqs_queue_arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${var.sns_topic_arn}"
        }
      }
    }
  ]
}
POLICY
}

Update:
Version is required as is Principal: *

resource "aws_sqs_queue_policy" "policy" {
  queue_url = "${var.sqs_queue_id}"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Principal": "*",
      "Resource": "${var.sqs_queue_arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${var.sns_topic_arn}"
        }
      }
    }
  ]
}
POLICY
}
dpup picture dpup on 25 Jul 2017

Hi folks! 👋 This issue was marked to close in #3832 due to a dependency update to an upstream library we use to compare the equivalence of two IAM policies: https://github.com/jen20/awspolicyequivalence/. The updated library should now treat account ID 123456789012 principals as equivalent to IAM account root ARNs arn:PARTITION:iam::123456789012:root. You can see some examples of what will now match in the upstream library unit testing:

https://github.com/jen20/awspolicyequivalence/blob/9fbcaca9f9f868b9560463d0790aae33b2322945/aws_policy_equivalence_test.go#L1076-L1200

This update will be released in v1.12.0 of the AWS provider, which we expect to release later this week.

I apologize this may not cover all IAM policy equivalence issues, but please do consider opening new Github issues in the https://github.com/terraform-providers/terraform-provider-aws/ or https://github.com/jen20/awspolicyequivalence/ for other specific examples that show as inequivalent.

bflad picture bflad on 20 Mar 2018
1 👍1

This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 23 Mar 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 7 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments
hashibot picture hashibot  ·  3Comments