terraform-aws-sns icon indicating copy to clipboard operation
terraform-aws-sns copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Cannot reference module.<name>.topic_arn inside aws_iam_policy_document as value for topic_policy

Open meathead23 opened this issue 1 year ago β€’ 0 comments

Description

When creating a totally custom SNS policy using a terraform aws_iam_policy_document as the topic_policy value, terraform throws a Error: Cycle Error if the module output of the module the policy is being attached to is referenced in the SNS topics policy.

The policy works fine if I remove the module reference and hardcode the ARN, however since this behaviour works in other Terraform modules for example https://github.com/terraform-aws-modules/terraform-aws-s3-bucket I figured it would work in this one

Versions

  • Module version [Required]: 6.0.1

  • Terraform version: v1.5.7

  • Provider version(s):
    • registry.terraform.io/hashicorp/aws v5.43.0

Reproduction Code [Required]

data "aws_iam_policy_document" "sns_policy" {

  statement {
    sid       = "sub"
    effect    = "Allow"
    resources = [
      "${module.sns.topic_arn}/*",
    ]

    actions = [
      "sns:Subscribe"
    ]
    principals {
      type        = "AWS"
      identifiers = ["*"]

    }
  }
}

module "sns" {

  source = "terraform-aws-modules/sns/aws"

  name = "bug-report-sns-topic"

  create_topic_policy     = false
  topic_policy            = data.aws_iam_policy_document.sns_policy.json
}

Steps to reproduce the behaviour:

  1. run terraform init
  2. run terraform validate

Expected behavior

The validation should pass with no errors.

Actual behavior

The validation fails with the following error:

β•·
β”‚ Error: Cycle: module.sns.output.topic_arn (expand), data.aws_iam_policy_document.sns_policy, module.sns.var.topic_policy (expand), module.sns.aws_sns_topic.this
β”‚ 
β”‚ 
β•΅

Terminal Output Screenshot(s)

image

Additional context

I've done similar things with terraform modules for example https://github.com/terraform-aws-modules/terraform-aws-s3-bucket where doing the following:

data "aws_iam_policy_document" "bucket_policy" {

  statement {
    sid    = "AllowReadWriteAccess"
    effect = "Allow"
    resources = [
      module.s3.s3_bucket_arn,
      "${module.s3.s3_bucket_arn}/*"
    ]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions = [
      "s3:List*",
      "s3:Get*",
      "s3:DeleteObject"
    ]
  }
}



module "s3" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket        = "s3-bucket"
  attach_policy = true
  policy        = data.aws_iam_policy_document.bucket_policy.json

}

meathead23 avatar Apr 02 '24 17:04 meathead23