Allow Version Selection in policy_document data sources

[hashibot]

This issue was originally opened by @hikerspath as hashicorp/terraform#14216. It was migrated here as part of the provider split. The original body of the issue is below.

---

Having used terraform for a while now, we have some configs running that we don't necessarily want to have torn down by terraform if switching to use of the newer (v0.7.7+) aws_iam_policy_document data source. Presently we are running a pre-defined version that has been called out in heredoc format. If we switch to use of the data source, we are forced to a specific version that is hard-coded into the app.

I could totally see having this be something that is defaulted in the app, but not something that is hard-coded as then both of us have more to maintain / be aware of...

• You would need to be aware if AWS ever changed / upgraded the version and release a new version with the change (which would not be backwards compatible to running configs)
• We would need to know if you ever changed the version so that the policy and all its dependancies would not be impacted with a terraform apply.

Terraform Version

• v0.8.8

Affected Resource(s)

• aws_iam_policy_document

Terraform Configuration Files

Below I have placed what we presently have called out and what is available to call out in the new configuration style. Specifically it is the 'Version:' options that I am speaking about.

Existing Policy Definition

resource "aws_iam_role" "lambda_assume_role" {
  name = "lambda_assume_role"

  assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

New Policy Document Format

data "aws_iam_policy_document" "lambda_assume_role" {
  statement {
    actions = [ "sts:AssumeRole" ]

    principals {
      type = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

References

• http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Version (Available Versions)
• https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/data_source_aws_iam_policy_document.go#L96 (Code Segment)
• Make aws_iam_policy_attachment warning less opaque #1234
• https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html

[mbyio]

I would also like to see this addressed. The version of IAM policies used is currently hardcoded, not even in a variable or constant: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/data_source_aws_iam_policy_document.go#L98. This isn't documented or anything.

While arguably the version specified is the "correct" version to use, if Amazon releases a new version tomorrow, nobody who uses terraform will be able to use it!

[armanshan12]

+1

[hikerspath]

+1

[Zordrak]

+1

This blocks use of an aws_iam_policy_document data source for ECR which required 2008-10-17 PolicyVersion

[paultyng]

For 2008-10-17 are the types the same as for 2012-10-17, is the only change the capability to use variables?

[paultyng]

This is the only documented thing I can find added in 2012-10-17: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

If the serialization is in fact the same between the two, adding this should be pretty straight forward.

[apparentlymart]

Being able to set a new version number won't help if the data source doesn't support whatever differences are present in that version.

This data source has arguments that match a particular version of the format. If a new version were added then we would need to add support for whatever has changed in that new version before declaring the new version number. Being able to override the version string would not make the new version actually usable without a new release of the provider.

In the event that a new version is defined, a new version of the provider would be released to support it.

[bflad]

According to the documentation linked above and https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html, we might be able to safely set up a new optional version argument in the following manner since both structures should be compatible:

"version": {
	Type:     schema.TypeString,
	Optional: true,
	Default: "2012-10-17",
	ValidateFunc: validation.StringInSlice([]string{
		"2008-10-17"
		"2012-10-17",
	}, false),
},

The validation can be used to gate the datasource to "supported" IAM policy versions, but as aptly noted above, a new provider release will be required to potentially support if/when new IAM policy versions are released. This is no different a situation as it is currently and allows the backwards support.

[bflad]

Pull request submitted for the above implementation: #5304

[bflad]

Support for setting the version in the data source has been merged in and will release with version 1.51.0 of the AWS provider, likely in the next day or two. 👍

[bflad]

This has been released in version 1.51.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!