Incorrect ARN output for aws_ssm_parameter

[jurajseffer]

Terraform Version

• Terraform v0.11.0
• provider.aws v1.5.0

Affected Resource(s)

aws_ssm_parameter

Terraform confg

resource "aws_ssm_parameter" "some_key" {
  name      = "/some/path"
  type      = "SecureString"
  value     = "${var.some_key}"
  overwrite = true
}

resource "aws_iam_role_policy" "some_policy" {
...
{
  "Effect": "Allow",
  "Resource": [
    "${aws_ssm_parameter.some_key.arn}",
  ],
   "Action": [
     "ssm:GetParameter*"
  ]
}
...

ARN exported for this type of resource has a double slash (//) after the word parameter. I've tried creating a parameter without the leading slash but Terraform throws an AWS API error:
aws_ssm_parameter.some_key: [ERROR] Error creating SSM parameter: ValidationException: Parameter name must be a fully qualified name.

The double slash is a problem because when I include the ARN into a policy for an IAM role, I get "unauthorized" response from AWS. Permissions work once one of the slashes is manually removed.

Perhaps this is caused by the trailing slash after parameter in https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ssm_parameter.go#L94

The obvious workaround is to manually construct the ARN or use replace function.

[bflad]

Hi @jurajseffer, thanks for this bug report! It certainly looks like this is an issue since the ID will include the leading /. I was able to verify in the acceptance testing by making the ARN attribute test more robust with a regex instead of just testing existence:

	testing.go:503: Step 0 error: Check failed: Check 2/4 error: aws_ssm_parameter.foo: Attribute 'arn' didn't match "^arn:aws:ssm:[a-z0-9-]+:[0-9]{12}:parameter/path/TestAccAWSSSMParameter_fullPath_dud3bzqera$", got "arn:aws:ssm:us-west-2:193075746082:parameter//path/TestAccAWSSSMParameter_fullPath_dud3bzqera"

I have submitted #2604 with the bugfix and enhanced testing. 😄

[jen20]

This should be fixed in 6cd9169 (rebased #2604) - thanks for the report!

[jerthom]

This is also broken for the aws_ssm_parameter data source: https://github.com/terraform-providers/terraform-provider-aws/blob/127a630a0d8ee1069556ed58f74ce650453a17c4/aws/data_source_aws_ssm_parameter.go#L75

[seppi91]

Please reopen this issue as it still exists in aws_ssm_parameter data source as @jerthom described.

[bflad]

The data source fix has been released in terraform-provider-aws version 1.9.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!