AWS SNS always planned to be changed

[maxbeatty]

I have, what I think is, a straightforward AWS SNS resource definition that includes a Version, Id, and Sid, but it always reports as changed in terraform plan (v0.6.4 - latest from brew on OS X).

resource "aws_sns_topic" "example" {
  depends_on = ["aws_iam_role.example"]
  name = "example"
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Id": "Policy1445931846145",
  "Statement": [
    {
      "Action": "sns:Publish",
      "Principal": {
        "AWS": "${aws_iam_role.example.arn}"
      },
      "Effect": "Allow",
      "Resource": "arn:aws:sns:${var.region}::example",
      "Sid": "Stmt1445931846145"
    }
  ]
}
EOF
}

Is it because of the variables inside the EOF? I see the s3 bucket policy argument mentions making "sure you use the verbose/specific version of the policy." How can I make this policy more specific?

Thanks in advance!

[catsby]

Hey @maxbeatty – I've found 2 issues here, and have a fix for both.
The first is an encoding issue with the policy, the second is an IAM issue that you may or may not have hit.

Posting a fix soon

[catsby]

#3700 should fix this

[maxbeatty]

@catsby thanks for looking into this and adding a fix. As my project evolved, I ended up moving the permission to the role policy and out of the SNS resource so I can't test this fix for my previous situation. Hope this helps someone else down the line!

[catsby]

Thanks for the update @maxbeatty , glad you had a workaround in place. Sorry for the trouble!

[mattupstate]

I am experiencing this issue with 0.6.11, my SNS resource looks like this:

resource "aws_sns_topic" "mytopic" {
  name = "my-topic"
  display_name = "my-topic"
  policy = <<EOF
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SNS:Publish"
            ],
            "Resource": "arn:aws:sns:${var.region}:${var.account_id}:my-topic",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "${aws_s3_bucket.scribe.arn}"
                }
            }
        }
    ]
}
EOF
}

[boxrick]

In your case the cause is the following:
"Action": [ "SNS:Publish" ],

Instead try

"Action": "SNS:Publish",

However this doesn't fix the Terraform problem of it recognizing this incorrectly.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.