SQS queue not created due to `null` request parameters

[krzema12]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.74.0

Affected Resource(s)

• aws_sqs_queue
• aws_iam_policy_document

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_sqs_queue" "dynatrace_repo_s3_events_queue" {
  name = "dynatrace-repo-s3-events-queue"
}

resource "aws_sqs_queue_policy" "dynatrace_repo_s3_events_queue_policy" {
  policy = data.aws_iam_policy_document.dynatrace_repo_s3_events_queue_policy_document.json
  queue_url = aws_sqs_queue.dynatrace_repo_s3_events_queue.id
}

data "aws_iam_policy_document" "dynatrace_repo_s3_events_queue_policy_document" {
  statement {
    sid = "dynatrace-repo-s3-events-queue-policy-statement-id"
    effect = "Allow"
    actions = ["SQS:SendMessage"]
    resources = [aws_sqs_queue.dynatrace_repo_s3_events_queue.arn]

    condition {
      test = "StringLike"
      values = [var.dynatrace_s3_repo_event_source_aws_account_id]
      variable = "aws:SourceAccount"
    }

    condition {
      test = "ArnLike"
      values = var.dynatrace_s3_repo_event_source_arns
      variable = "aws:SourceArn"
    }

    principals {
      type = "Service"
      identifiers = ["s3.amazonaws.com"]
    }
  }
}

Debug Output

Debug output contains business-sensitive data. I'm attaching some logs from the moment of queue creation: https://gist.github.com/krzema12/33206859ed0c62e62a065d36172b2223

Please let me know if you need anything more.

Panic Output

No panic (I guess).

Expected Behavior

The queue should be created successfully, and requestParameters be non-null.

Actual Behavior

I get AccessDenied:

module.build-units-service.aws_sqs_queue.dynatrace_repo_s3_events_queue: Creating...
╷
│ Error: failed creating SQS Queue (dynatrace-repo-s3-events-queue-dev): AccessDenied: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.
│       status code: 403, request id: ab147d69-8f40-5fde-9156-27135e960439
│ 
│   with module.build-units-service.aws_sqs_queue.dynatrace_repo_s3_events_queue,
│   on .terraform/modules/build-units-service/terraform-modules/mission-control-platform/build-units-service/event-queue.tf line 1, in resource "aws_sqs_queue" "dynatrace_repo_s3_events_queue":
│    1: resource "aws_sqs_queue" "dynatrace_repo_s3_events_queue" {
│ 
╵

Normally I'd assume there's something wrong with my IAM policy, but I see such request in AWS CloudTrail which contains null requestParameters:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "...",
        "arn": "...",
        "accountId": "...",
        "accessKeyId": "...",
        "userName": "..."
    },
    "eventTime": "2022-02-07T07:59:54Z",
    "eventSource": "sqs.amazonaws.com",
    "eventName": "CreateQueue",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "188.252.71.25",
    "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.5 (+https://www.terraform.io) terraform-provider-aws/3.74.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.42.38 (go1.16; linux; amd64)",
    "errorCode": "AccessDenied",
    "errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "8776387a-1597-5098-a766-6200c62dcedb",
    "eventID": "6e2423cc-2fb6-4f00-a421-8aba41a2c84d",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "478983378254",
    "eventCategory": "Management"
}

Comparing to a manual queue creation via AWS console where this field does have some values like queue name, here we have nothing. I assume that AWS returns AccessDenied because it doesn't know the SQS queue name which should be in request parameters, so preemptively says there's no access.

Steps to Reproduce

1. Use the config provided above.
2. Use this IAM policy:

   {
   "Sid": "SomeSid",
   "Effect": "Allow",
   "Action": [
       "sqs:*"
   ],
   "Resource": [
       "arn:aws:sqs:::dynatrace-repo-*"
    ]
   },

3. terraform apply

Important Factoids

None.

References

None.

[krzema12]

We'd be grateful to have a confirmation if it's really a bug, or we misuse Terraform. Asked the community for help: https://discuss.hashicorp.com/t/sqs-queue-cannot-be-created-due-to-null-request-parameters/35652

[krzema12]

It turned out the issue was related to AWS policy. Resolving.

[krzema12]

For future reference, the Resource part was incorrect - it missed the stars in the places where region and account ID belong: arn:aws:sqs:*:*:dynatrace-repo-*.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.