aws_sqs_queue_policy - fails on first apply, succeeds on second apply with no changes

[TomTucka]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.28

Affected Resource(s)

• aws_sqs_queue_policy

Terraform Configuration Files

resource "aws_sqs_queue_policy" "deadletter_queue" {
  queue_url = aws_sqs_queue.deadletter_queue.id
  policy    = data.aws_iam_policy_document.deadletter_queue.json
}

data "aws_iam_policy_document" "deadletter_queue" {
  statement {
    effect    = "Allow"
    resources = [aws_sqs_queue.deadletter_queue.arn]
    actions = [
      "sqs:ChangeMessageVisibility",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes",
      "sqs:GetQueueUrl",
      "sqs:ListQueueTags",
      "sqs:ReceiveMessage",
      "sqs:SendMessage",
    ]
    principals {
      type        = "AWS"
      identifiers = [var.allowed_arn]
    }
  }

Debug Output

Error: Error updating SQS attributes: InvalidAttributeValue: Invalid value for the parameter Policy.
	status code: 400, request id: 30b6f60c-a403-5af4-8fdb-a178a4dda18f

  on modules/sqs/main.tf line 54, in resource "aws_sqs_queue_policy" "deadletter_queue":
  54: resource "aws_sqs_queue_policy" "deadletter_queue" {

Expected Behavior

Terraform should create the resource on the first apply

Actual Behavior

Terraform fails with the error above, on a re-run with no changes the apply succeeds.

Steps to Reproduce

1. terraform apply
2. terraform fails
3. terraform apply
4. terraform succeeds

Important Factoids

Happens on both CI and local machine

[laurenty]

I am running into the same issue. I even set explicit dependencies between the aws_iam_policy_document and the resource that the policy refers to and then between the aws_sqs_queue_policy and aws_iam_policy_document. Still got the error.
Terraform 0.13.5
AWS Provider hashicorp/aws v2.70.0

[laurenty]

It looks like this is a timing issue. After reading the docs on SQS SetQueueAttributes, I did notice that it mentions a potential 60s propagation delay so I added a 60s time_sleep resource between the aws_sqs_queue and aws_sqs_queue_policy resources and the apply was successful on the first attempt.
https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html

[natanlao]

I can reproduce this:

(.venv) ~/u/c/terraform develop> terraform -version
Terraform v0.14.0
+ provider registry.terraform.io/hashicorp/archive v2.0.0
+ provider registry.terraform.io/hashicorp/aws v3.20.0
+ provider registry.terraform.io/hashicorp/local v2.0.0

Your version of Terraform is out of date! The latest version
is 0.14.2. You can update by downloading from https://www.terraform.io/downloads.html

[rexxavier]

This is resolved

On Fri, Dec 11, 2020 at 5:45 PM Natan Lao ***@***.***> wrote: I can reproduce this: (.venv) ~/u/c/terraform develop> terraform -version Terraform v0.14.0 + provider registry.terraform.io/hashicorp/archive v2.0.0 + provider registry.terraform.io/hashicorp/aws v3.20.0 + provider registry.terraform.io/hashicorp/local v2.0.0 Your version of Terraform is out of date! The latest version is 0.14.2. You can update by downloading from https://www.terraform.io/downloads.html — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#13980 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AM7XD4QALKXZ6GTJ2MDV2GDSUKVK3ANCNFSM4OLKCWSA> .

-- Thanks, Rex

[laurenty]

@rexxavier could you elaborate? thank you

[amartopoulos]

I also ran into this exact problem just now. After the second "successful" run (no changes, according to Terraform), I checked out the queue in the console. It has the requested policy, so this is more of an annoyance than anything else. Still, would be nice if that 60 second sleep could be integrated into the process.

[natanlao]

Forgot to add here that @laurenty's suggested fix worked for me.

[SalasSanchez]

Is it resolved in TF 14, @rexxavier? What do you mean?

[BhushanGitHub]

This seems to be still an issue. I am facing the same problem even with a 0.14.4

[laurenty]

This seems to be still an issue. I am facing the same problem even with a 0.14.4

If this were to be fixed, it would be in the AWS provider. Not in TF itself.

[SalasSanchez]

This seems to be still an issue. I am facing the same problem even with a 0.14.4

If this were to be fixed, it would be in the AWS provider. Not in TF itself.

I think the point here is that there is a TF workaround for this timing issue, and the suggestion was made above that TF14 was going to have some such workaround built in, instead of requiring users to add a sleep time.

It appears that this is not the case, so I'll stick to my time_sleep.

[floresfactor]

same problem.
Terraform 0.13.2

[cesarpball]

Same problem Terraform 0.13.5

[ewbankkit]

In #19639 I have modified the aws_sqs_queue resource so that on Create and Update we wait for up to 1 minute to ensure that the queue attributes completely propagate.
This should fix the issue.

[github-actions]

This functionality has been released in v3.45.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.