Terraform-provider-aws: Incorrect ARN output for aws_ssm_parameter
Terraform Version
- Terraform v0.11.0
- provider.aws v1.5.0
Affected Resource(s)
aws_ssm_parameter
Terraform confg
resource "aws_ssm_parameter" "some_key" {
name = "/some/path"
type = "SecureString"
value = "${var.some_key}"
overwrite = true
}
resource "aws_iam_role_policy" "some_policy" {
...
{
"Effect": "Allow",
"Resource": [
"${aws_ssm_parameter.some_key.arn}",
],
"Action": [
"ssm:GetParameter*"
]
}
...
ARN exported for this type of resource has a double slash (//) after the word parameter. I've tried creating a parameter without the leading slash but Terraform throws an AWS API error:
aws_ssm_parameter.some_key: [ERROR] Error creating SSM parameter: ValidationException: Parameter name must be a fully qualified name.
The double slash is a problem because when I include the ARN into a policy for an IAM role, I get "unauthorized" response from AWS. Permissions work once one of the slashes is manually removed.
Perhaps this is caused by the trailing slash after parameter in https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ssm_parameter.go#L94
The obvious workaround is to manually construct the ARN or use replace function.
jurajseffer
All 6 comments
Hi @jurajseffer, thanks for this bug report! It certainly looks like this is an issue since the ID will include the leading /. I was able to verify in the acceptance testing by making the ARN attribute test more robust with a regex instead of just testing existence:
testing.go:503: Step 0 error: Check failed: Check 2/4 error: aws_ssm_parameter.foo: Attribute 'arn' didn't match "^arn:aws:ssm:[a-z0-9-]+:[0-9]{12}:parameter/path/TestAccAWSSSMParameter_fullPath_dud3bzqera$", got "arn:aws:ssm:us-west-2:193075746082:parameter//path/TestAccAWSSSMParameter_fullPath_dud3bzqera"
I have submitted #2604 with the bugfix and enhanced testing. 😄
bflad
on 9 Dec 2017
This should be fixed in 6cd9169 (rebased #2604) - thanks for the report!
jen20
on 17 Dec 2017
This is also broken for the aws_ssm_parameter data source: https://github.com/terraform-providers/terraform-provider-aws/blob/127a630a0d8ee1069556ed58f74ce650453a17c4/aws/data_source_aws_ssm_parameter.go#L75
jerthom
on 17 Jan 2018
Please reopen this issue as it still exists in aws_ssm_parameter data source as @jerthom described.
seppi91
on 18 Jan 2018
The data source fix has been released in terraform-provider-aws version 1.9.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 9 Feb 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 8 Apr 2020
Related issues
modax
·
3Comments
dvishniakov
·
3Comments
ghost
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
Most helpful comment
Hi @jurajseffer, thanks for this bug report! It certainly looks like this is an issue since the ID will include the leading
/. I was able to verify in the acceptance testing by making the ARN attribute test more robust with a regex instead of just testing existence:I have submitted #2604 with the bugfix and enhanced testing. 😄