Terraform is not updating iam policy for SQS

[kydas]

I updated an AWS IAM policy for an SQS queue but the terraform apply shows no changes to the policy. In the state file I see:
"primary": { "id": "##########", "attributes": { "id": "########", "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"Sid#########\",\n \"Effect\": \"Allow\",\n \"Action\": \"SQS:*\",\n \"Resource\": \"arn:aws:sqs:###########\",\n \"Principal\": \"*\,\n \"Condition\": {\n \"StringEquals\": {\n \"aws:SourceArn\": \"arn:aws:sns:###########\"\n }\n }\n }\n ]\n}"

The change was adding in the Principal parameter. What I see on AWS is:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Sid##########", "Effect": "Allow", "Action": "SQS:*", "Resource": "arn:aws:sqs:############", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:sns:##############" } } } ] }
You can see that the principle parameter is not in the AWS document, despite being in the terraform files and in the state file. Terraform should refresh the statefile to match the resource, and then apply the change based on the configuration in the terraform files.

Versions:
Terraform: 11.11
AWS Plugin: 2.66

[bflad]

Hi @kydas 👋 Thank you for raising this. Are you still having this issue? If so, we will require additional information to help troubleshoot, such as the previous configuration, the new configuration, and shown plan output.

[lucjross]

Hi @bflad, I may have run into the same issue.

My previous config:

data "aws_iam_policy_document" "x" {
  statement {
    actions = [
      "sqs:SendMessage",
    ]
    resources = [
      aws_sqs_queue.x.arn,
    ]
    condition {
      test = "ArnEquals"
      variable = "aws:SourceArn"
      values = [
        data.aws_sns_topic.x.arn,
      ]
    }
  }
}

resource "aws_sqs_queue_policy" "x" {
  queue_url = aws_sqs_queue.x.id
  policy = data.aws_iam_policy_document.x.json
}

Resulting policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "queue arn",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "topic arn"
        }
      }
    }
  ]
}

Updated config:

data "aws_iam_policy_document" "x" {
  statement {
    principals {
      type = "*"
      identifiers = ["*"]
    }
    actions = [
      "sqs:SendMessage",
    ]
    resources = [
      aws_sqs_queue.x.arn,
    ]
    condition {
      test = "ArnEquals"
      variable = "aws:SourceArn"
      values = [
        data.aws_sns_topic.x.arn,
      ]
    }
  }
}

The plan showed no changes from this config change, so the resulting policy didn't change. I'm using Terraform 0.12.24 and AWS provider 2.70.0. I got around it by tainting the policy.

[MattNohelty]

I think we are seeing the same issue as well with Terraform 0.12.29.

[feraudet]

The same with :
Terraform v0.14.8

• provider registry.terraform.io/hashicorp/aws v3.25.0

[ewbankkit]

In #19639 I have modified the aws_sqs_queue resource so that on Create and Update we wait for up to 1 minute to ensure that the queue attributes completely propagate.
This should fix the issue.

[github-actions]

This functionality has been released in v3.45.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.