tf.state saved without empty principal block for s3 bucket policy

[ghost]

This issue was originally opened by @benvand as hashicorp/terraform#18525. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.11.7
+ provider.archive v1.0.0
+ provider.aws v1.9.0

Terraform Configuration Files

modules/s3-document-bucket/main.tf
So we have a simple module to create a bucket and attach a policy giving read/ write perms to specified roles based on arns passed in as variables.

variable "bucket_name" {
  description = "(Required) A name our S3 bucket."
}

variable "read_object_roles" {
  type        = "list"
  description = "A list of role ARNs to apply get object permssions to."
}

variable "write_object_roles" {
  type        = "list"
  description = "A list of role ARNs to apply S3:PutObject and S3:PutObjectACL permissions to."
}

data "aws_iam_policy_document" "document_bucket_policy_document" {
  # Assign read roles
  statement {
    sid = ""
    effect = "Allow"

    principals {
      identifiers = "${var.read_object_roles}"
      type        = "AWS"
    }

    actions = [
      "s3:GetObject",
      "s3:GetBucketLocation",
      "s3:ListBucket",
    ]

    resources = [
      
      "arn:aws:s3:::${var.bucket_name}/*",
      "arn:aws:s3:::${var.bucket_name}",
    ]
  }
  # Assign write roles
  statement {
    sid = ""
    effect = "Allow"

    principals {
      identifiers = "${var.write_object_roles}"
      type        = "AWS"
    }

    actions = [
      "s3:PutObject",
      "s3:PutObjectAcl",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}/*",
      "arn:aws:s3:::${var.bucket_name}",
    ]
  }
}

resource "aws_s3_bucket" "document_bucket" {
  bucket = "${var.bucket_name}"
  acl    = "private"

  versioning {
    enabled = true
  }

  # Apply policy to bucket
  policy = "${data.aws_iam_policy_document.document_bucket_policy_document.json}"
}

main.tf
We call the module, in the first instance it's fine, creates the policy, saves it to the remote state file etc. The problem arises when we have an empty list as our principal variable (read_only_bucket.write_object_roles)

module "read_write_bucket" {
  source             = "../../modules/s3-document-bucket"
  bucket_name        = "scratch-bucket"
  read_object_roles  = ["arn:aws:iam::${var.account_id}:role/readers"]
  write_object_roles = ["arn:aws:iam::${var.account_id}:role/writers"]
}

module "read_only_bucket" {
  source             = "../../modules/s3-document-bucket"
  bucket_name        = "some-read-only-bucket"
  read_object_roles  = ["arn:aws:iam::${var.account_id}:role/readers"]
  write_object_roles = []
}

Output of terraform plan

Terraform plan shows there is a change to make and is saying it will add an empty principal block. It doesn't appear to complete this action because running plan, then apply then plan yields the same message.

{
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789101:role/readers"
      },
      "Resource": [
        "arn:aws:s3:::some-read-only-bucket/*",
        "arn:aws:s3:::some-read-only-bucket"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::some-read-only-bucket/*",
        "arn:aws:s3:::some-read-only-bucket"
      ],
      "Sid": ""
    }
  ],
  "Version": "2012-10-17"
}

=>

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::some-read-only-bucket/*",
        "arn:aws:s3:::some-read-only-bucket"
      ],
      "Principal": {
        "AWS": "arn:aws:iam::123456789101:role/readers"
      }
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::some-read-only-bucket/*",
        "arn:aws:s3:::some-read-only-bucket"
      ],
      "Principal": {
        "AWS": []
      }
    }
  ]
}

What's happening

The state file gets saved without a principal block because it would have been empty.
The plan gets generated with an empty principal block.
There's always a mismatch.

Additional Context

It looks like this might be a known issue:
https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#policy

if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan.

However... This is slightly more of a problem than the issues referenced below. In those, resource, action and principal list variables are converted to strings if they contain a single value. In my case the principal block is removed altogether when no principal is specified. I can't replicate this in my terraform because I can't conditionally remove the principal block

Can anyone suggest a work around until 0.12 ? https://www.hashicorp.com/blog/terraform-0-1-2-preview

References

hashicorp/terraform#5613
hashicorp/terraform#4948

[okonon]

@bflad wondering if there is a workaround for above mentioned issue?

[hkak03key]

@benvand
hello, I'm face this problem, too.
Is this problem solved ver. 0.12.x?
if so, does it need special syntax? please teach it.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.