SNS Feedback role is broken

[lpossamai]

Description

When enabling enable_sns_topic_delivery_status_logs = true, I get the following error:

aws_iam_role.sns_feedback_role[0]: Creating...
╷
│ Error: creating IAM Role (terraform-20230821062128499400000001): MalformedPolicyDocument: Has prohibited field Resource
│       status code: 400, request id: 291d1af4-9051-4d50-b3a9-4ee372492068
│ 
│   with aws_iam_role.sns_feedback_role[0],
│   on iam.tf line 26, in resource "aws_iam_role" "sns_feedback_role":
│   26: resource "aws_iam_role" "sns_feedback_role" {

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 6.0.0

• Terraform version: 1.5.0

• Provider version(s):

Terraform v1.5.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.10.0
+ provider registry.terraform.io/hashicorp/external v2.3.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1

Reproduction Code [Required]

enable_sns_topic_delivery_status_logs = true

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[bparak]

In https://github.com/terraform-aws-modules/terraform-aws-notify-slack/blob/v6.0.0/iam.tf ; the policy for CloudWatch Logs is passed to assume_role_policy which expects only assume policies. This policy needs to be attached to the role (or inlined) and a valid assume policy granting AWS SNS the right to assume the role needs to be passed to assume_role_policy.

data "aws_iam_policy_document" "sns_feedback" {
  count = local.create_sns_feedback_role ? 1 : 0

  statement {
    sid    = "PermitDeliveryStatusMessagesToCloudWatchLogs"
    effect = "Allow"

    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "logs:PutMetricFilter",
      "logs:PutRetentionPolicy"
    ]

    resources = [
      "*"
    ]
  }
}

resource "aws_iam_role" "sns_feedback_role" {
  count = local.create_sns_feedback_role ? 1 : 0

  name                  = var.sns_topic_feedback_role_name
  description           = var.sns_topic_feedback_role_description
  path                  = var.sns_topic_feedback_role_path
  force_detach_policies = var.sns_topic_feedback_role_force_detach_policies
  permissions_boundary  = var.sns_topic_feedback_role_permissions_boundary
  assume_role_policy    = data.aws_iam_policy_document.sns_feedback[0].json ## << HERE

  tags = merge(var.tags, var.sns_topic_feedback_role_tags)
}

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[lpossamai]

Not stale

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.