Diffs don't match after applying IAM policy

[johnbarney]

Error output:

Terraform Version: 0.6.15
Resource ID: aws_sqs_queue.vault_queue
Mismatch reason: extra attributes: policy
Diff One (usually from plan): *terraform.InstanceDiff{Attributes:map[string]*terraform.ResourceAttrDiff{"visibility_timeout_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "max_message_size":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "delay_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"lx-ecs-dev-vault-config", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "message_retention_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "receive_wait_time_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}}, Destroy:false, DestroyTainted:false}
Diff Two (usually from apply): *terraform.InstanceDiff{Attributes:map[string]*terraform.ResourceAttrDiff{"message_retention_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "receive_wait_time_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"lx-ecs-dev-vault-config", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "max_message_size":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "policy":*terraform.ResourceAttrDiff{Old:"", New:"{\"Version\":\"2012-10-17\",\"Id\":\"Policy1461268019586\",\"Statement\":[{\"Sid\":\"VaultConfigSQS\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::**:role/vault-config-dev\"]},\"Action\":[\"sqs:DeleteMessage\",\"sqs:ReceiveMessage\"],\"Resource\":\"arn:aws:sqs:us-west-2:**:lx-ecs-dev-vault-config\"}]}", NewComputed:false, NewRemoved:false, NewExtra:"{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"Policy1461268019586\",\n  \"Statement\": [\n    {\n      \"Sid\": \"VaultConfigSQS\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::**:role/vault-config-dev\"\n        ]\n      },\n      \"Action\": [\n        \"sqs:DeleteMessage\",\n        \"sqs:ReceiveMessage\"\n      ],\n      \"Resource\": \"arn:aws:sqs:us-west-2:**:lx-ecs-dev-vault-config\"\n    }\n  ]\n}\n", RequiresNew:false, Type:0x0}, "delay_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "visibility_timeout_seconds":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}}, Destroy:false, DestroyTainted:false}

Blocks in question (I think?):

resource "template_file" "vault_config_sqs_policy" {
  template = "${file("../iam/policies/sqs/vault_config.json")}"

  vars {
    principal = "arn:aws:iam::${var.customer_number}:role/vault-config-${var.env}"
    resource = "arn:aws:sqs:${var.aws_region}:${var.customer_number}:lx-ecs-${var.env}-vault-config"
    sid = "VaultConfigSQS"
  }
}

resource "aws_sqs_queue" "vault_queue" {
  name = "lx-ecs-${var.env}-vault-config"
  policy = "${template_file.vault_config_sqs_policy.rendered}"
}

JSON referenced:

{
  "Version": "2012-10-17",
  "Id": "Policy1461268019586",
  "Statement": [
    {
      "Sid": "${sid}",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "${principal}"
        ]
      },
      "Action": [
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "${resource}"
    }
  ]
}

This error happens on a fresh apply (no existing state)

Please let me know if any additional information would be useful.

Thanks

[johnbarney]

Just tried with TF 0.6.14 and this issue does not hit me. I'm unblocked, but this seems to be an issue in the latest release only.

[spanktar]

Possibly related to #5888 ?

[catsby]

I just merged #6724 which should address this. Thanks for writing in!

[johnbarney]

@catsby Upgraded to Terraform 0.6.16 today and still have the issue. Should I open a new issue?

EDIT: Never mind. Merged does not mean release build. I saw #6705 was reported for v0.6.16.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.