sqs_managed_sse_enabled used to default to false but now defaults to true

[tiagomatic]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_sqs_queue

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

No tf plan due to underlying tf code not changing.

Actual Behavior

This change causes issues with set-ups that don't support and conflict with sqs_managed_sse_enabled, which spontaneously now cause the following ambiguous error:

Error: error waiting for SQS Queue (...) attributes to update: SQS Queue policies are not equivalent

it was only after doing an attempted import that revealed the issue a bit with the following error:

data could not be decoded from
│ the state: unsupported attribute "sqs_managed_sse_enabled".

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[jufemaiz]

I'm seeing this too.

Terraform version: 1.1.0 on Go runtime version: go1.17.2
--
  | on linux_amd64
  | + provider registry.terraform.io/hashicorp/aws v3.69.0
  | + provider registry.terraform.io/hashicorp/random v2.3.1
  | + provider registry.terraform.io/hashicorp/template v2.2.0

LOG trace on apply.

Action=GetQueueAttributes&AttributeName.1=All&QueueUrl=https%3A%2F%2Fsqs.REGION.amazonaws.com%2FACCOUNT_ID%2FQUEUE_NAME&Version=2012-11-05
-----------------------------------------------------: timestamp=2021-12-14T10:23:36.111Z
2021-12-14T10:23:36.135Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2021/12/14 10:23:36 [DEBUG] [aws-sdk-go] DEBUG: Response sqs/GetQueueAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 1955
Content-Type: text/xml
Date: Tue, 14 Dec 2021 10:23:36 GMT
X-Amzn-Requestid: 6114f86a-b2c4-5ee2-921c-a258c02c2385
 
-----------------------------------------------------: timestamp=2021-12-14T10:23:36.134Z
2021-12-14T10:23:36.135Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2021/12/14 10:23:36 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?><GetQueueAttributesResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><GetQueueAttributesResult><Attribute><Name>QueueArn</Name><Value>arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME</Value></Attribute><Attribute><Name>ApproximateNumberOfMessages</Name><Value>0</Value></Attribute><Attribute><Name>ApproximateNumberOfMessagesNotVisible</Name><Value>0</Value></Attribute><Attribute><Name>ApproximateNumberOfMessagesDelayed</Name><Value>0</Value></Attribute><Attribute><Name>CreatedTimestamp</Name><Value>TIMESTAMP</Value></Attribute><Attribute><Name>LastModifiedTimestamp</Name><Value>TIMESTAMP</Value></Attribute><Attribute><Name>VisibilityTimeout</Name><Value>900</Value></Attribute><Attribute><Name>MaximumMessageSize</Name><Value>262144</Value></Attribute><Attribute><Name>MessageRetentionPeriod</Name><Value>RETENTION_PERIOD</Value></Attribute><Attribute><Name>DelaySeconds</Name><Value>0</Value></Attribute><Attribute><Name>Policy</Name><Value>BLAH</Value></Attribute><Attribute><Name>RedrivePolicy</Name><Value>{"deadLetterTargetArn":"arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME-dlq","maxReceiveCount":10}</Value></Attribute><Attribute><Name>ReceiveMessageWaitTimeSeconds</Name><Value>20</Value></Attribute><Attribute><Name>SqsManagedSseEnabled</Name><Value>false</Value></Attribute></GetQueueAttributesResult><ResponseMetadata><RequestId>UUID</RequestId></ResponseMetadata></GetQueueAttributesResponse>: timestamp=2021-12-14T10:23:36.134Z
2021-12-14T10:23:36.135Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2021/12/14 10:23:36 [TRACE] Waiting 10s before next try: timestamp=2021-12-14T10:23:36.135Z
2021-12-14T10:23:37.861Z [TRACE] dag/walk: vertex "module.thing (close)" is waiting for "module.thing.module.queue_name (close)"
2021-12-14T10:23:37.861Z [TRACE] dag/walk: vertex "module.thing.module.queue_name (close)" is waiting for "module.thing.module.queue_name.aws_sqs_queue_policy.main"
2021-12-14T10:23:40.248Z [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "module.thing.module.queue_name.aws_sqs_queue_policy.main"
module.thing.module.queue_name.aws_sqs_queue_policy.main: Still modifying... [id=https://sqs.REGION.amazonaws.co...ACCOUN_ID/QUEUE_NAME, 1m0s elapsed]
2021-12-14T10:23:40.292Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2021/12/14 10:23:40 [WARN] WaitForState timeout after 1m0s: timestamp=2021-12-14T10:23:40.292Z
2021-12-14T10:23:40.292Z [INFO]  provider.terraform-provider-aws_v3.69.0_x5: 2021/12/14 10:23:40 [WARN] WaitForState starting 30s refresh grace period: timestamp=2021-12-14T10:23:40.292Z
2021-12-14T10:23:40.293Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.thing.module.queue_name.aws_sqs_queue_policy.main
2021-12-14T10:23:40.294Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for module.thing.module.queue_name.aws_sqs_queue_policy.main
2021-12-14T10:23:40.294Z [TRACE] evalApplyProvisioners: module.thing.module.queue_name.aws_sqs_queue_policy.main is not freshly-created, so no provisioning is required
2021-12-14T10:23:40.294Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.thing.module.queue_name.aws_sqs_queue_policy.main
2021-12-14T10:23:40.294Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for module.thing.module.queue_name.aws_sqs_queue_policy.main
2021-12-14T10:23:40.299Z [ERROR] vertex "module.thing.module.queue_name.aws_sqs_queue_policy.main" error: error waiting for SQS Queue Policy (https://sqs.REGION.amazonaws.com/ACCOUNT_ID/QUEUE_NAME) to be set: SQS Queue policies are not equivalent
2021-12-14T10:23:40.299Z [TRACE] vertex "module.thing.module.queue_name.aws_sqs_queue_policy.main": visit complete, with errors
2021-12-14T10:23:40.299Z [TRACE] dag/walk: upstream of "module.thing.module.queue_name (close)" errored, so skipping
2021-12-14T10:23:40.299Z [TRACE] dag/walk: upstream of "module.thing (close)" errored, so skipping
2021-12-14T10:23:40.299Z [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" errored, so skipping
2021-12-14T10:23:40.299Z [TRACE] dag/walk: upstream of "root" errored, so skipping

[ewbankkit]

Relates: #21954.
Relates: #22194.

[marcdejonge]

We seems to running into the exact same issue. Can't apply anything now. Is there a work-around available?

It seems to me to be related to this API change: https://awsapichanges.info/archive/changes/850fc8-sqs.html

Update: It seems somewhat related to IAM roles. With an administrator role it seems to execute correctly, but with our CI it doesn't. We'll try to figure out what the difference is.

[jufemaiz]

Until a new release, peg the version of the provider to v3.68.0 is working fine for me.

[joe-a-t]

Still experiencing this error in 3.71.0. The specific error we are currently receiving is

Error: error waiting for SQS Queue (FOO) attributes to update: timeout while waiting for state to become 'equal' (last state: 'notequal', timeout: 2m0s)

so we have had to pin to 3.68.0, which works

[chasse-code]

We just encountered this issue today after upgrading to 3.71.0

Error: error waiting for SQS Queue (https://sqs.us-east-1.amazonaws.com/<account>/<queue_name>) attributes to update: timeout while waiting for state to become 'equal' (last state: 'notequal', timeout: 2m0s)

  on sqs.tf line 1, in resource "aws_sqs_queue" "sqs_lambda_trigger":
   1: resource "aws_sqs_queue" "sqs_lambda_trigger" {

[joe-a-t]

FYI our issues seem to have been fixed by #22547 so upgrading to 3.72.0 appears to resolve our errors

[Conacious]

Hi, this is still happening in 4.29.0. The parameter sqs_managed_sse_enabled defaults to true instead of false as documentation says.

[nantiferov]

It seems to me that CreateQueue Api defaults has been changed around September, 1.

If SqsManagedSseEnabled was not defined before, it was set by default to false and now it's set to true.

Experience the same issue with aws provider 4.15.1, 4.29.0 and terraform v1.2.1.
Cloudtrail logs shows clearly that SqsManagedSseEnabled is not set in CreateQueue request, even when sqs_managed_sse_enabled explicitly set to false.

[ewbankkit]

Announcement.

[github-actions]

This functionality has been released in v4.36.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.