Closed ulucinar closed 3 weeks ago
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
/test-examples="examples/sns/v1beta1/topic-with-policy.yaml"
I've definitely observed this same update loop in other resources that contain an IAM policy, in addition to one more: converting an AWS account id to the ARN of that account's root in a Principal element.
Do we have an issue to track these improvements?
Description of your changes
We've observed update loops with the
Topic.sns
resources when inline policies are given. The desired policy document in thespec
can differ from the actual (observed) document in the following two ways:Missing
Version
node. An example is as follows:What's observed constains a
Version
node:Please note the
Version
node in the observed policy document.Topology differences: What's declared in
spec
could be:And what's observed could then be:
Please note that the declared AWS IAM principals are JSON arrays whereas the observed ones are strings.
This PR proposes to introduce a custom Terraform diff to filter out such differences that result in an update loop. This is already implemented as a diff suppress function in the underlying Terraform provider. We should consider making sure that these suppress functions are properly invoked in a future iteration but it will result in a larger change that will require more rigorous testing.
This PR also adds a
Topic.sns
example manifest with an inline policy document to test the fix.I have:
make reviewable
to ensure this PR is ready for review.backport release-x.y
labels to auto-backport this PR if necessary.How has this code been tested