Multiple aws_sqs_queue_policy adds only one policy to queue

[hashibot]

This issue was originally opened by @cu12 as hashicorp/terraform#12003. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

v0.8.7

Affected Resource(s)

Please list the resources as a list, for example:

• aws_sqs_queue_policy
• aws_iam_policy_document

Terraform Configuration Files

variable "environments" {
  default = "prod,stag"
}

variable "vendorbackend_sns_topics" {
  type = "map"

  default = {
    region1_stag = "arn:aws:sns:eu-west-1:xxxxxxxxxxxx:snstopic_stag"
    region1_prod = "arn:aws:sns:eu-west-1:xxxxxxxxxxxx:snstopic_prod"
    region2_stag   = "arn:aws:sns:ap-southeast-1:xxxxxxxxxxxx:snstopic_stag"
    region2_prod   = "arn:aws:sns:ap-southeast-1::xxxxxxxxxxxx:snstopic_prod"
  }
}

resource "aws_sqs_queue" "q" {
  count = "${length(compact(split(",", var.environments)))}"

  name = "q-${element(split(",", var.environments), count.index)}"
}

# region 1
data "aws_iam_policy_document" "allow_sendmessage-region1" {
  count = "${length(compact(split(",", var.environments)))}"

  statement {
    actions = ["sqs:SendMessage"]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "ArnEquals"
      variable = "aws:SourceArn"
      values   = [
        "${var.sns_topics["region1_${element(split(",", var.environments), count.index)}"]}",
      ]
    }
  }
}

resource "aws_sqs_queue_policy" "allow_sendmessage-region1" {
  count = "${length(compact(split(",", var.environments)))}"

  queue_url = "${element(aws_sqs_queue.q.*.id, count.index)}"
  policy    = "${element(data.aws_iam_policy_document.allow_sendmessage-region1.*.json, count.index)}"
}

# region 2
data "aws_iam_policy_document" "allow_sendmessage-region2" {
  count = "${length(compact(split(",", var.environments)))}"

  statement {
    actions = ["sqs:SendMessage"]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "ArnEquals"
      variable = "aws:SourceArn"
      values   = [
        "${var.sns_topics["region2_${element(split(",", var.environments), count.index)}"]}",
      ]
    }
  }
}

resource "aws_sqs_queue_policy" "allow_sendmessage-region2" {
  count = "${length(compact(split(",", var.environments)))}"

  queue_url = "${element(aws_sqs_queue.q.*.id, count.index)}"
  policy    = "${element(data.aws_iam_policy_document.allow_sendmessage-region2.*.json, count.index)}"
}

Expected Behavior

Should have created two separate policies.

Actual Behavior

Created only one policy attached to the queue.
In each plan TF would like to modify the policies and during apply it applies them successfully.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan
2. terraform apply
3. terraform plan

Important Factoids

N/A

References

N/A

[dpup]

Has anyone identified a work around to this issue?

[xpolb01]

Work around: hashicorp/terraform#12003 (comment)

[bflad]

We would like to address the duplicate Terraform resource problem, more generically for all Terraform resources that could be potentially duplicated by certain criteria (such as per-region and per-name). The enhancement that would be available to all Terraform resources, which we could then implement the Terraform AWS Provider, can be tracked upstream in the Terraform Plugin SDK: hashicorp/terraform-plugin-sdk#224.

[bflad]

Hi folks 👋 Thank you for submitting this and this is an excellent use case of somewhere that Terraform and the Terraform AWS Provider could be much more helpful since in many cases they have enough information to return an error upfront during planning instead of unexpected behavior during apply.

I believe this falls under the provider-wide enhancement proposal of #14394, so by adding this link here it will add a reference to that issue so we can include it as a use case when thinking about the implementation details. Since this is likely something we will want more broadly across many resources, I'm going to close this particular issue to consolidate discussions, efforts, and prioritization on the topic while the reference would serve as the cue to make this specific resource one of the initial implementations. I would suggest those 👍 upvoting and subscribing here to do so on #14394 so we can appropriately gauge interest. Please feel free to provide feedback there.

Thanks again!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!