Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam_policy_document Bool condition always shows diff #19245

Closed
ghost opened this issue May 5, 2021 · 10 comments · Fixed by #22100
Closed

aws_iam_policy_document Bool condition always shows diff #19245

ghost opened this issue May 5, 2021 · 10 comments · Fixed by #22100
Assignees
@YakDriver
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Milestone
v3.69.0

Comments

@ghost
Copy link

ghost commented May 5, 2021
edited by YakDriver
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Relates #21968

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.3
+ provider registry.terraform.io/hashicorp/archive v2.0.0
+ provider registry.terraform.io/hashicorp/aws v3.38.0
+ provider registry.terraform.io/hashicorp/null v3.0.0
+ provider registry.terraform.io/hashicorp/random v3.0.1
+ provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

  • aws_efs_file_system_policy
  • aws_iam_policy_document

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

locals {
  aws_efs_file_system_arn = aws_efs_file_system.fs.arn
}

data "aws_iam_policy_document" "efs_policy" {
  version = "2012-10-17"

  statement {
    sid = "Allow mount and write"

    actions = [
      "elasticfilesystem:ClientWrite",
      "elasticfilesystem:ClientRootAccess",
      "elasticfilesystem:ClientMount"
    ]

    resources = [local.aws_efs_file_system_arn]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
  }

  statement {
    sid = "Enforce in-transit encryption for all clients"

    effect = "Deny"

    actions = ["*"]

    resources = [local.aws_efs_file_system_arn]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.fs.id

  policy = data.aws_iam_policy_document.efs_policy.json # TODO: always shows change, need to raise a ticket with aws provider
}

resource "aws_efs_file_system" "fs" {
  encrypted  = true
  kms_key_id = var.kms_key_id

  lifecycle_policy {
    transition_to_ia = "AFTER_14_DAYS"
  }

  tags = {
    Name = format("efs-%s-%s-%s-%s-%s", terraform.workspace, "test", "fs", "test", "test")
  }
}

Expected Behavior

Plan should show no changes.

Actual Behavior

Terraform will perform the following actions:

  # module.shared_data_storage.module.efs.aws_efs_file_system_policy.policy will be updated in-place
  ~ resource "aws_efs_file_system_policy" "policy" {
        id             = "fs-123123"
      ~ policy         = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "elasticfilesystem:ClientWrite",
                            "elasticfilesystem:ClientRootAccess",
                            "elasticfilesystem:ClientMount",
                        ]
                        Effect    = "Allow"
                        Principal = {
                            AWS = "*"
                        }
                        Resource  = "arn:aws:elasticfilesystem:us-east-2:123412341234:file-system/fs-123123"
                        Sid       = "Allow mount and write"
                    },
                  ~ {
                      ~ Condition = {
                          ~ Bool = {
                              ~ aws:SecureTransport = "false" -> [
                                  + "false",
                                ]
                            }
                        }
                        # (5 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. Run terraform apply
  2. Run terraform plan

Important Factoids

This issue wasn't there before upgrading to latest aws provider version.
@ghost ghost added service/efs Issues and PRs that pertain to the efs service. service/iam Issues and PRs that pertain to the iam service. labels May 5, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label May 5, 2021
@anGie44 anGie44 removed the needs-triage Waiting for first response or review from a maintainer. label May 5, 2021
@anGie44
Copy link
Contributor

anGie44 commented May 7, 2021

Hi @IrmantasM , thank you for raising this issue. To help backtrack where this may have been introduced, do you mind providing which provider version you were using before upgrading to the latest? thanks in advance!

@anGie44 anGie44 added thinking waiting-response Maintainers are waiting on response from community or contributor. labels May 7, 2021
@jooh-lee
Copy link

jooh-lee commented May 8, 2021

This is not an issue in provider version v3.27.0. It was introduced in v3.28.0

@ghost ghost removed waiting-response Maintainers are waiting on response from community or contributor. labels May 8, 2021
@ghost
Copy link
Author

ghost commented May 9, 2021

Hi @anGie44, I was using 3.11.0, but as per @jooh-lee seems like it was introduced just now.

@anGie44 anGie44 added bug Addresses a defect in current functionality. and removed thinking labels May 9, 2021
@anGie44
Copy link
Contributor

anGie44 commented May 9, 2021

Can confirm with @jooh-lee's comment above that the behavior is present as early as v.3.28.0 of the provider .

@stevehipwell stevehipwell mentioned this issue Jun 29, 2021
Closed
@ewbankkit ewbankkit removed the service/efs Issues and PRs that pertain to the efs service. label Sep 10, 2021
@ewbankkit ewbankkit mentioned this issue Oct 14, 2021
Closed
@samm-git
Copy link

samm-git commented Nov 3, 2021
edited
Loading

Same here. Getting such on all conditions, e.g.

~ Condition = {
    ~ Bool         = {
        ~ aws:SecureTransport = "true" -> [
            + "true",
          ]
      }
    ~ StringEquals = {
        ~ elasticfilesystem:AccessPointArn = "arn:aws:elasticfilesystem:us-east-1:1234567890:access-point/fsap-1234567890" -> [
            + "arn:aws:elasticfilesystem:us-east-1:1234567890:access-point/fsap-1234567890",
          ]
      }
  }

@danopia
Copy link

danopia commented Nov 4, 2021
edited
Loading

A previous issue (closed with no proper resolution) showing the the StringEquals case: #17623

Possibly shares a root cause?

@devopsrick
Copy link

Yep this can be mitigated by adding a trailing comma after any item in a list of conditions/resources/actions, including a single item.

@YakDriver YakDriver mentioned this issue Nov 30, 2021
Closed
67 tasks
@YakDriver
Copy link
Member

YakDriver commented Dec 7, 2021
edited
Loading

This should be resolved with #22067 (mostly about IAM but included an updated version of awspolicyequivalence also) and hashicorp/awspolicyequivalence#7. However, until we create a test to ensure it is fixed, I'm going to leave this open.

This was referenced Dec 7, 2021
Merged
Merged
@YakDriver YakDriver self-assigned this Dec 7, 2021
@YakDriver YakDriver added this to the Roadmap milestone Dec 7, 2021
@YakDriver YakDriver mentioned this issue Dec 8, 2021
Merged
@github-actions github-actions bot modified the milestones: Roadmap, v3.69.0 Dec 8, 2021
@github-actions
Copy link

This functionality has been released in v3.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@YakDriver YakDriver mentioned this issue Feb 18, 2022
Closed
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
v3.69.0
Development

Successfully merging a pull request may close this issue.

efs/file_system_policy: Fix diffs with equivalent policies hashicorp/terraform-provider-aws
7 participants
@danopia @samm-git @devopsrick @ewbankkit @anGie44 @jooh-lee @YakDriver