Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot use SQS redrive_allow_policy correctly without creating a cycle #22577

Closed
davecardwell opened this issue Jan 13, 2022 · 16 comments · Fixed by #26733
Closed

Cannot use SQS redrive_allow_policy correctly without creating a cycle #22577

davecardwell opened this issue Jan 13, 2022 · 16 comments · Fixed by #26733
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/sqs Issues and PRs that pertain to the sqs service.
Milestone

Comments

@davecardwell
Copy link

davecardwell commented Jan 13, 2022

The Example Usage for aws_sqs_queue shows a “source queue” with both a redrive_policy and a redrive_allow_policy set, however as per the AWS docs the “byQueue” redrive_allow_policy belongs on the dead letter queue itself:

The redrive allow policy specifies which source queues can access the dead-letter queue. This policy applies to a potential dead-letter queue.

Since you set a redrive_policy on the source queue which points to a dead letter queue, and a redrive_allow_policy on the dead letter queue restricting which source queues can redrive to it, it is not possible to represent this relationship in Terraform without creating a cycle.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v1.1.2
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v3.71.0

Affected Resource(s)

  • aws_sqs_queue

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_sqs_queue" "source_queue" {
    name = "source_queue"

    redrive_policy = jsonencode({
        deadLetterTargetArn = aws_sqs_queue.dead_letter_queue.arn
    })
}

resource "aws_sqs_queue" "dead_letter_queue" {
    name = "dead_letter_queue"

    redrive_allow_policy = jsonencode({
        redrivePermission = "byQueue"
        sourceQueueArns = ["${aws_sqs_queue.source_queue.arn}"]
    })
}

Debug Output

https://gist.github.com/davecardwell/236f84642a90536d442cbfc4434f8da1

Panic Output

N/A

Expected Behavior

Success. It should be possible to configure a RedriveAllowPolicy without creating a circular dependency.

Actual Behavior

Error: Cycle: aws_sqs_queue.dead_letter_queue, aws_sqs_queue.source_queue

Steps to Reproduce

  1. terraform validate

Important Factoids

N/A

References

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/sqs Issues and PRs that pertain to the sqs service. labels Jan 13, 2022
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jan 13, 2022
@sgabenov
Copy link

sgabenov commented Feb 3, 2022

I think it would be good to move DLQ redrive to a separate resource, so it can be dependant on normal queue and DLQ and do not create a cycle loop.
Also, example in docs of terraform resource would be very helpful

@nandorholozsnyak
Copy link

Hey, we are also facing this issue, any news on it?

@rbresson-edfx
Copy link

Facing the same issue, I had to put redrivePermission = "allowAll" in order to make it work, but not satisfaisant

@hajdukd
Copy link

hajdukd commented Mar 18, 2022

Same issue, tho gonna live with a workaround for now.

@ramooncamacho
Copy link

I tested it in version 1.1.7 because I was facing the same problem, and realized that the dead letter sqs queue needs to be implemented first.

You have to create arn string "arn:aws:sqs:region:account_number:mysqsqueue" in the redrive_allow_policy of the sqs dead letter queue. And at the main sqs queue you can point to the dead letter queue using arn attribute. This way the main sqs queue will depend on the sqs dead letter queue (you could also use depends_on, but it is not required in this case).

@taylor-knapp
Copy link

It would be nice if you could directly reference the name from the main queues, as TF can know that before applying.

resource "aws_sqs_queue" "main_queue" {
  name                       = "main-queue"
  redrive_policy             = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.dead_letter.arn
    maxReceiveCount     = 10
  })
}

resource "aws_sqs_queue" "dead_letter" {
  name                       = "dead-letter-queue"
  redrive_allow_policy       = jsonencode({
    redrivePermission = "byQueue",
    sourceQueueArns   = [
      # Required to either hard code or use a local for the name variable to avoid the cycle error.
      "arn:aws:sqs:${var.region}:${var.account_id}:main-queue",
      # Would be nice to just reference the already known name.
      "arn:aws:sqs:${var.region}:${var.account_id}:${aws_sqs_queue.main_queue.name}"
    ]
  })
}

@dynamicnet
Copy link

same as @taylor-knapp , with the last AWS provider to date (4.24.0), this code led to cycle error

resource "aws_sqs_queue" "queue" {
  name                       = "queue"

  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.dlq_queue.arn
    maxReceiveCount     = 36
  })
}

resource "aws_sqs_queue" "dlq_queue" {
  name                       = "dlq_queue"

  redrive_allow_policy = jsonencode({
    redrivePermission = "byQueue",
    sourceQueueArns   = [aws_sqs_queue.queue.arn]
  })
}

@techotron
Copy link

Same workaround as #22577 (comment) I had to construct the sourceQueueArns manually:

  redrive_allow_policy  = jsonencode({
    redrivePermission = "byQueue",
    sourceQueueArns   = ["arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:my-queue"]
  })  

@ewbankkit ewbankkit added enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. and removed bug Addresses a defect in current functionality. labels Sep 13, 2022
@github-actions github-actions bot added this to the v4.31.0 milestone Sep 13, 2022
@github-actions
Copy link

This functionality has been released in v4.31.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@stepintooracledba
Copy link

stepintooracledba commented Sep 29, 2022

Hi,
I've tried the same redrive_policy using Provider(v4.32.0) still get same cycle error.

@timothyclarke
Copy link

@ewbankkit Please re-open this one as it is currently unsolved.
Following the example usage currently version 4.36.1 still generates a circular dependency error per the original post at the start of this thread

@chuong-tran
Copy link

chuong-tran commented Nov 24, 2022

The solution to prevent circle is to create separate redrive_allow_policy resource as the example in the URL below
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy

@timothyclarke
Copy link

@chuong-tran The docs for the aws_sqs_queue resource still need to be updated as they are giving an invalid example

@chuong-tran
Copy link

@timothyclarke I see. Thanks!

@hsteidel
Copy link

The docs for the aws_sqs_queue resource still need to be updated as they are giving an invalid example https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy

I was facing an issue with the sample provided at
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy

Where I went wrong was by deviating. I had...

resource "aws_sqs_queue" "inbound_message_dlq" {
  name = "inbound-dlq"
}
resource "aws_sqs_queue_redrive_allow_policy" "inbound_message_dlq_redrive" {

And that gave me an AWS 400 Resource Error on the source queue InvalidParameterValue: Value RedrivePolicy

However, once I named both the DLQ and the RedriveAllowPolicy the same, it worked.

resource "aws_sqs_queue" "inbound_message_dlq" {
  name = "inbound-dlq"
}

resource "aws_sqs_queue_redrive_allow_policy" "inbound_message_dlq" {

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/sqs Issues and PRs that pertain to the sqs service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.