Terraform: TF 0.12 data.aws_iam_policy_document still contains unknown values during apply

Created on 10 Aug 2019  ยท  6Comments  ยท  Source: hashicorp/terraform

Terraform Version

v0.12.6

Terraform Configuration Files

locals {
  bucket_name_prefix = "${var.service_name}-${var.account_id}"
}

module "app_logs_bucket" {
  source = "../modules-generic/s3-versioned-bucket/"

  create      = var.create
  name        = "${local.bucket_name_prefix}-app-logs"
  kms_key_arn = data.terraform_remote_state.this.outputs.kms_key_arn
}

resource "aws_s3_bucket_policy" "logs" {
  count  = var.create ? 1 : 0
  bucket = module.app_logs_bucket[0].name
  policy = data.aws_iam_policy_document.app_logs_bucket[0].json

  depends_on = [module.app_logs_bucket]
}

data "aws_iam_policy_document" "app_logs_bucket" {
  count = var.create ? 1 : 0

  statement {
    sid = "Admin access"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${var.account_id}:root"]
    }

    resources = [
      "arn:aws:s3:::${module.app_logs_bucket[0].name}",
      "arn:aws:s3:::${module.app_logs_bucket[0].name}/*"
    ]

    actions = ["s3:*"]
  }
}

// s3-versioned-bucket module code

resource "aws_s3_bucket" "this" {
  count  = var.create ? 1 : 0
  bucket = var.name
  acl    = "private"

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = var.kms_key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  lifecycle_rule {
    prefix  = "*"
    enabled = true

    noncurrent_version_expiration {
      days = var.version_expiration_days
    }
  }
}

resource "aws_s3_bucket_public_access_block" "this" {
  count  = var.create ? 1 : 0

  bucket = aws_s3_bucket.this[0].id

  block_public_acls       = var.block_public_acls
  block_public_policy     = var.block_public_policy
  ignore_public_acls      = var.ignore_public_acls
  restrict_public_buckets = var.restrict_public_buckets
}

Expected Behavior

The Bucket Policy should have been created and attached to the S3 Bucket.

Actual Behavior


Terraform throws the following error on apply

Error: configuration for data.aws_iam_policy_document.app_logs_bucket[0] still contains unknown values during apply (this is a bug in Terraform; please report it!)

Steps to Reproduce

  1. terraform init
  2. terraform plan
  3. terraform apply

Additional Context

This worked with v0.11.14

Hardcoding the bucket name in the aws_s3_bucket_policy resource and the aws_iam_policy_document data resolves the issue:

resource "aws_s3_bucket_policy" "logs" {
  count  = var.create ? 1 : 0
  bucket = "service-111111111111-app-logs" #module.app_logs_bucket[0].name
  policy = data.aws_iam_policy_document.app_logs_bucket[0].json

  depends_on = [module.app_logs_bucket]
}

data "aws_iam_policy_document" "app_logs_bucket" {
  count = var.create ? 1 : 0

  statement {
    sid = "Admin access"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::111111111111:root"] #["arn:aws:iam::${var.account_id}:root"]
    }

    resources = [
      "arn:aws:s3:::service-111111111111-app-logs",
      "arn:aws:s3:::service-111111111111-app-logs/*"
    ]

    # resources = [
    #   "arn:aws:s3:::${module.app_logs_bucket[0].name}",
    #   "arn:aws:s3:::${module.app_logs_bucket[0].name}/*"
    # ]

    actions = ["s3:*"]
  }
}

References

Possibly related to

  • #21455
bug config core v0.12
Source
picture GreenyMcDuff
👍5

Most helpful comment

Seems terraform returns ... still contains unknown values during apply error when aws_iam_policy_document contains an array element expression with the invalid index.

I was able to reproduce this error with the following code.

provider "aws" {
  region = "us-east-1"
}

resource "null_resource" "foo" {
  count = 0
}

data "aws_iam_policy_document" "bar" {
  statement {
    actions   = ["*"]
    resources = ["${null_resource.foo[0].id}"]
  }
}

null_resource.foo[0] does not exist since its count value is 0.
terraform returns Error: configuration for data.aws_iam_policy_document.bar still contains unknown values during apply (this is a bug in Terraform; please report it!) when applying it. terraform apply succeeds when count parameter in foo resource is set to 1.
The error message is a bit misleading though, the reason it fails to applying the above code is not due to unknown values, but null_resource.foo[0] does not exist.

Not sure it's the root cause of the issue reported here though, I guess it's worthwhile to check if there exist any error in expressions used in data.aws_iam_policy_document?

picture nozaq on 17 Aug 2019
👍2

All 6 comments

Same issue here.

Terraform apply:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.data_dev_bucket will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "data_dev_bucket"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "*",
            ]
          + effect    = "Deny"
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "Bool"
              + values   = [
                  + "false",
                ]
              + variable = "aws:SecureTransport"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "*"
            }
        }
    }

Plan: 0 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "prod-dan"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Error: configuration for data.aws_iam_policy_document.data_dev_bucket still contains unknown values during apply (this is a bug in Terraform; please report it!)


Releasing state lock. This may take a few moments...

My tf template is even simpler, the only dynamic resource is the resource reference:

data "aws_iam_policy_document" "data_dev_bucket" {
  # Only allow TLS communication with the bucket contents
  statement {
    effect = "Deny"
    actions = [
      "*",
    ]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    resources = [
      "${aws_s3_bucket.data_dev[0].arn}/*",
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}
dsnellgrove picture dsnellgrove on 15 Aug 2019

Seems terraform returns ... still contains unknown values during apply error when aws_iam_policy_document contains an array element expression with the invalid index.

I was able to reproduce this error with the following code.

provider "aws" {
  region = "us-east-1"
}

resource "null_resource" "foo" {
  count = 0
}

data "aws_iam_policy_document" "bar" {
  statement {
    actions   = ["*"]
    resources = ["${null_resource.foo[0].id}"]
  }
}

null_resource.foo[0] does not exist since its count value is 0.
terraform returns Error: configuration for data.aws_iam_policy_document.bar still contains unknown values during apply (this is a bug in Terraform; please report it!) when applying it. terraform apply succeeds when count parameter in foo resource is set to 1.
The error message is a bit misleading though, the reason it fails to applying the above code is not due to unknown values, but null_resource.foo[0] does not exist.

Not sure it's the root cause of the issue reported here though, I guess it's worthwhile to check if there exist any error in expressions used in data.aws_iam_policy_document?

nozaq picture nozaq on 17 Aug 2019
👍2

Still not working for me either

###############################################################################

data "template_file" "samba_server_setup_script" {
  template = file(format("%s/samba-server-setup.sh.tpl", local.tools))

  vars = {
    "region"      = var.region
    "env_name"    = var.env_name
    "vpc_name"    = var.vpc_name
    "user_name"   = var.samba_user_name
    "efs_mount"   = var.samba_efs_mountpoint
    "extra_init"  = var.client
    "efs_address" = module.commerce_efs.route53_records_name
    "stream_name" = var.stream_name
  }
}

###############################################################################

Using the output of a module as an input to this data source still does not work, was absolutely fine on Terraform 0.11

edit: oddly that output route53_records_name is a join on a splat of one value.

rlees85 picture rlees85 on 18 Aug 2019

Thanks @nozaq, that is indeed the root cause in this situation.
It turns out the data source has some extra validation that is catching the configuration error, though it is unfortunately not mapped back to a useful configuration error and reported as a terraform bug.

@dsnellgrove, since you seem to have the next smallest configuration, can you make a more complete example to confirm if aws_s3_bucket.data_dev[0].arn is a valid reference in your config?

jbardin picture jbardin on 20 Aug 2019
👍1

Closed by #22846

jbardin picture jbardin on 17 Oct 2019
🎉1

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 17 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thebenwaters picture thebenwaters  ยท  3Comments
pawelsawicz picture pawelsawicz  ยท  3Comments
cpoole picture cpoole  ยท  3Comments
c4milo picture c4milo  ยท  3Comments
darron picture darron  ยท  3Comments