terraform-provider-awscc
terraform-provider-awscc copied to clipboard
hashicorp
Trailing EOL causes `awscc_ec2_verified_access_group` policy to change at every apply
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
- The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.
Terraform CLI and Terraform AWS Cloud Control Provider Version
Terraform v1.6.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.25.0
+ provider registry.terraform.io/hashicorp/awscc v0.64.0
Affected Resource(s)
- awscc_ec2_verified_access_group
Terraform Configuration Files
The following (working) configuration shows the group policy to be different at every apply
resource "awscc_ec2_verified_access_trust_provider" "main" {
policy_reference_name = "iam_sso2"
trust_provider_type = "user"
user_trust_provider_type = "iam-identity-center"
}
resource "awscc_ec2_verified_access_instance" "main" {
verified_access_trust_provider_ids = [awscc_ec2_verified_access_trust_provider.main.verified_access_trust_provider_id]
}
resource "awscc_ec2_verified_access_group" "main" {
verified_access_instance_id = awscc_ec2_verified_access_instance.main.id
policy_enabled = true
policy_document = <<-EOT
// grant access to domain email users
permit(principal,action,resource)
when {
context.iam_sso2.user.email.address like "*@domain.com"
};
EOT
}
It does the same if I use a single line with \n :
policy_document = "// grant access to domain email users\npermit(principal,action,resource)\nwhen {\n context.iam_sso2.user.email.address like \"*@domain.com\"\n};\n"
but, if I remove the trailing new line
policy_document = "// grant access to domain email users\npermit(principal,action,resource)\nwhen {\n context.iam_sso2.user.email.address like \"*@domain.com\"\n};"
the configuration is applied every time without changes.
The same works with HEREDOC, adding chomp to remove the trailing new line:
resource "awscc_ec2_verified_access_trust_provider" "main" {
policy_reference_name = "iam_sso2"
trust_provider_type = "user"
user_trust_provider_type = "iam-identity-center"
}
resource "awscc_ec2_verified_access_instance" "main" {
verified_access_trust_provider_ids = [awscc_ec2_verified_access_trust_provider.main.verified_access_trust_provider_id]
}
resource "awscc_ec2_verified_access_group" "main" {
verified_access_instance_id = awscc_ec2_verified_access_instance.main.id
policy_enabled = true
policy_document = chomp(<<-EOT
// grant access to domain email users
permit(principal,action,resource)
when {
context.iam_sso2.user.email.address like "*@domain.com"
};
EOT
)
}
Expected Behavior
The policy should apply without having to get rid of the new line. Knowing it, it's easy to fix (just remove the last \n on single line or use chomp with heredocs), but I had hard time figuring out that the issue was the trailing new line, not the heredoc, or multi-line, or the comment.
Steps to Reproduce
Just apply the example config above: the top one causes terraform to find the policy as "changed" at every apply, the last one is working every time without showing any changes (beside the real ones, if any).
I suspect this is similar to #1284, where the VerifiedPermissions APIs do not return your exact input policy (string) but rather a modified version of it.
