Provide documentation of all known instances that will cause a value to appear in the after_unknown field in a terraform plan - specifically for aws_iam_policy resources

[rileydak]

When generating a plan file to json output using the following commands:

terraform plan -out planfile terraform show -json planfile

attributes about the specific resources being changed can be found in the ['resource_changes'] key of the terraform plan file.

Some values for resource_changes can appear in the after_unknown field. The best example of this is referencing a KMS Key ARN for a key being created within the same template in the IAM Policy. This causes the entire policy to appear in the "after_unknown" key - as opposed to containing the policy document. The terraform plan output to json capability is a great feature to allow programmatic parsing of terraform plans. However - without better understanding of when specifically certain values will be treated as after_unknown, can it be relied upon for checking templates for compliance?

Requesting that the exact causes of this be documented to be better understood by the community.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• aws_XXXXX

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• 0000

[rileydak]

example TF Template with scenario of after_unknown value: ` resource "aws_kms_key" "kms_key" { description = "KMS key 1" deletion_window_in_days = 10 }

data "aws_iam_policy_document" "iam_policy_document" { statement { effect = "Allow" actions = ["kms:*"] resources = ["${aws_kms_key.kms_key.arn}"] } }

resource "aws_iam_policy" "iam_policy" { name = "iam_policy" policy = "${data.aws_iam_policy_document.iam_policy_document.json}"

} `

resulting output of plan ` # aws_iam_policy.iam_policy will be created

• resource "aws_iam_policy" "iam_policy" {
  • arn = (known after apply)
  • id = (known after apply)
  • name = "iam_policy"
  • path = "/"
  • policy = (known after apply) }`

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!