aws_iot_policy.X: VersionsLimitExceededException: The policy X already has the maximum number of versions (5)

[jeandek]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.14
provider.aws v2.21.1

Affected Resource(s)

• aws_iot_policy

Terraform Configuration Files

terraform {}

provider "aws" {}

resource "aws_iot_policy" "test" {
  name = "testJean"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:*:*:topic/topic6"
    }
  ]
}
POLICY
}

Output

1 error occurred:
* aws_iot_policy.test: 1 error occurred:
* aws_iot_policy.test: VersionsLimitExceededException: The policy testJean already has the maximum number of versions (5)
status code: 409, request id: 34c184cc-b256-11e9-8ec0-a331a0a34c0e

Expected Behavior

I would expect the same behaviour as with aws_iam_policy. The oldest non-default policy version should be deleted to make room for the new one.

Steps to Reproduce

Just copy and paste the TF configuration I posted above and run terraform apply six times. (You can change the topic number, for instance.)

References

[jeandek]

I've started work on a pull request and I'll create a WIP later today.

[nywilken]

Hi @jeandek thanks for taking the lead on this. Please feel free to reach out if you find you need help.

[jeandek]

Thanks @nywilken!

I think I've managed on my own, but my new acceptance test takes quite a while to run. This might be normal because there are quite a few steps, but feel free to have a look at my pull request if you have the spare time.

[Sytten]

I hit a bug related to this issue. When you get the 409, terraform assumes that the policy has changed and update its internal state. So if you try to apply again, it will not detect a diff.

[jeandek]

@Sytten : I think your problem probably deserves its own issue. While my PR would prevent it from occurring, the root cause is very different since it's related to how/what Terraform records in its resource graph.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.