IAM Policy Document Always Changes With Single Conditions v3.28.0

[duganth-va]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.6
AWS v3.28.0

Affected Resource(s)

• data "aws_iam_policy_document"

Terraform Configuration Files

provider "aws" {
  region = "us-gov-west-1"
}

variable "vpc_id" {}
variable "subnet_ids" {}

resource "aws_security_group" "ecs_efs_sg" {
  name        = "ecs-efs-sg"
  description = "Allow ecs efs outbound traffic"
  vpc_id      = var.vpc_id
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

module "efs" {
  source          = "github.com/cloudposse/terraform-aws-efs.git?ref=0.22.0"
  name            = "efs"
  region          = "us-gov-west-1"
  vpc_id          = var.vpc_id
  subnets         = var.subnet_ids
  security_groups = [aws_security_group.ecs_efs_sg.id]
  encrypted       = true
}

resource "aws_efs_access_point" "efs" {
  file_system_id = module.efs.id
  root_directory {
    path = "/etc"
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = 755
    }
  }
}

# Assume Role Policy
data "aws_iam_policy_document" "ecs_efs_assume_role_policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "ecs_efs_task_role" {
  name               = "ecs-efs-task-role"
  assume_role_policy = data.aws_iam_policy_document.ecs_efs_assume_role_policy.json
}

data "aws_iam_policy_document" "efs_policy" {
  statement {
    effect = "Allow"

    actions = [
      "elasticfilesystem:ClientMount"
    ]

    resources = [module.efs.arn]
    principals {
      type = "AWS"
      identifiers = [
        aws_iam_role.ecs_efs_task_role.arn
      ]
    }
    condition {
      test     = "StringEquals"
      variable = "elasticfilesystem:AccessPointArn"
      values = [
        aws_efs_access_point.efs.arn,
      ]
    }
  }
}

resource "aws_efs_file_system_policy" "efs_policy" {
  file_system_id = module.efs.id
  policy         = data.aws_iam_policy_document.efs_policy.json
}

Expected Behavior

After apply I expect the policy document not to try to change on subsequent apply's. It appears that the condition block requires an array of strings and the policy document includes the brackets on this condition. After apply AWS removes the brackets however the policy document adds them resulting in parity thus terraform always wants to change the policy.

Actual Behavior

      ~ policy         = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action    = "elasticfilesystem:ClientMount"
                      ~ Condition = {
                          ~ StringEquals = {
                              ~ elasticfilesystem:AccessPointArn = "arn:aws-us-gov:elasticfilesystem:us-gov-west-1:<redacted>:access-point/fsap-0c4edfeacf107a78a" -> [
                                  + "arn:aws-us-gov:elasticfilesystem:us-gov-west-1:<redacted>:access-point/fsap-0c4edfeacf107a78a",

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

This was introduced in v3.28.0. v3.27.0 works as expected.

References

#12055

[duganth-va]

I tested 3.29 bug still exists.

[YakDriver]

@duganth-va Thanks for submitting this issue! However, I have not been able to replicate the problem. Can you provide a minimal configuration that causes the problem?

I tried these versions and this config which yielded the results below:

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/aws v3.29.0

resource "aws_sns_topic" "test" {
  name = "yaktopic"
}

resource "aws_sns_topic_policy" "test" {
  arn    = aws_sns_topic.test.arn
  policy = data.aws_iam_policy_document.test.json
}

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "SNS:Subscribe",
    ]

    condition {
      test     = "StringEquals"
      variable = "sns:Protocol"

      values = [
        "https",
      ]
    }

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    resources = [
      aws_sns_topic.test.arn,
    ]
  }
}

% terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.test will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "test"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "SNS:Subscribe",
            ]
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "https",
                ]
              + variable = "sns:Protocol"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_sns_topic.test will be created
  + resource "aws_sns_topic" "test" {
      + arn    = (known after apply)
      + id     = (known after apply)
      + name   = "yaktopic"
      + policy = (known after apply)
    }

  # aws_sns_topic_policy.test will be created
  + resource "aws_sns_topic_policy" "test" {
      + arn    = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_sns_topic.test: Creating...
aws_sns_topic.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
data.aws_iam_policy_document.test: Reading...
data.aws_iam_policy_document.test: Read complete after 0s [id=3683377072]
aws_sns_topic_policy.test: Creating...
aws_sns_topic_policy.test: Creation complete after 1s [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
% terraform apply
aws_sns_topic.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]
aws_sns_topic_policy.test: Refreshing state... [id=arn:aws-us-gov:sns:us-gov-west-1:123456789101:yaktopic]

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
%

[duganth-va]

@YakDriver Sure I'll work on a minimal config. In the meantime it might help if you apply twice thats when the problem occurs!
Edit: I missed you applied twice hmm ok let me check if 3.29 did fix it 😓

[YakDriver]

I've also tried with these versions:

Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/aws v3.29.0

And 3 applies this time! 👍

No diffs with the SNS config. I'm not sure how/why it would behave differently than yours. If you can find a simple way to reproduce, let me know.

[duganth-va]

@YakDriver I cannot reproduce this issue anymore, it looks like AWS changed their policy format to include the comma now so there is no diff in the TF. While I don't know this to be the case it started working on 3.28 as well so I'm happy to close this issue. Thanks for looking into it!

[YakDriver]

@duganth-va We recently made changes with IAM policy document so we assumed it was a related regression. Glad to hear that it's working. Please let us know if you have any other issues. I notice from your tests that you work in GovCloud. I do much of my work there so you can ping me directly with GovCloud issues. I may not be able to take them on immediately always but can at least add the GovCloud label so we can prioritize accordingly (especially IAM issues).

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!