terraform-provider-awscc icon indicating copy to clipboard operation
terraform-provider-awscc copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

IAM role service principal constantly wants to update if using json + heredoc

Open drewmullen opened this issue 3 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

  • awscc_iam_role

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_iam_role" "flow_log_cloudwatch" {
  role_name   = "vpc-flow-log"
  description = "VPC Flow logs for"
  # tags = var.tags
  assume_role_policy_document = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VPCFlowLogs",
      "Effect": "Allow",
      "Principal": {
        "Service": ["vpc-flow-logs.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

Expected Behavior

no update

Actual Behavior

  # awscc_iam_role.flow_log_cloudwatch will be updated in-place
  ~ resource "awscc_iam_role" "flow_log_cloudwatch" {
      ~ assume_role_policy_document = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ Service = "vpc-flow-logs.amazonaws.com" -> [
                              + "vpc-flow-logs.amazonaws.com",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        id                          = "test-vpc-flow-log-yxik2ig8"
      - max_session_duration        = 3600 -> null
        # (5 unchanged attributes hidden)
    }

Steps to Reproduce

  1. terraform apply
  2. terraform apply

drewmullen avatar Feb 22 '22 20:02 drewmullen

NOTE: this behavior does not happen if you use the data source:

data "aws_iam_policy_document" "flow_log_cw_assume_role" {
  statement {
    principals {
      type        = "Service"
      identifiers = ["vpc-flow-logs.amazonaws.com"]
    }

    effect = "Allow"

    actions = ["sts:AssumeRole"]
  }
}

resource "awscc_iam_role" "flow_log_cloudwatch" {
  role_name   = "${var.name}-vpc-flow-log-${random_string.suffix.result}"
  description = "VPC Flow logs for ${var.name}"
  # tags = var.tags
  assume_role_policy_document = data.aws_iam_policy_document.flow_log_cw_assume_role.json
}

drewmullen avatar Feb 22 '22 20:02 drewmullen

FYI: when using embedded json, removing the [] resolves this issue

      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },

drewmullen avatar Feb 23 '22 19:02 drewmullen

Relates https://github.com/hashicorp/terraform-provider-awscc/issues/509.

ewbankkit avatar Aug 24 '22 15:08 ewbankkit