[Bug]: Timeout when creating/updating sqs_queue_policy without policy Version

[TannerWhite]

Terraform Core Version

1.3.1

AWS Provider Version

4.55.0

Affected Resource(s)

SQS Queue, SQS Queue Policy.

Expected Behavior

Successful creation/update of SQS Queue Policy.

Actual Behavior

During "terraform apply", the SQS queue policy creation times out after 2 minutes with the error listed below. The resources are successfully created, but the error is confusing and interrupts the rest of the process.

Relevant Error/Panic Output Snippet

Error: waiting for SQS Queue (https://sqs.us-east-1.amazonaws.com/460203893115/sqs-queue-policy-alerts-queue) attribute (Policy) create: timeout while waiting for state to become 'equal' (last state: 'notequal', timeout: 2m0s)
│
│   with aws_sqs_queue_policy.queue_access_policy,
│   on main.tf line 28, in resource "aws_sqs_queue_policy" "queue_access_policy":
│   28: resource "aws_sqs_queue_policy" "queue_access_policy" {

Terraform Configuration Files

terraform {
  required_version = ">=1.3.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=4.55.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "sqs_queue_policy_s3" {
  bucket = "sqs-queue-policy-test"
}

resource "aws_sqs_queue" "sqs_queue_policy_queue_test" {
  name = "sqs-queue-policy-test"
}

resource "aws_sqs_queue_policy" "queue_access_policy" {
  queue_url = aws_sqs_queue.sqs_queue_policy_queue_test.id

  policy = jsonencode({
    "Statement" : [
      {
        "Sid" : "SQS-Queue-Access-Policy",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "s3.amazonaws.com"
        },
        "Action" : "SQS:SendMessage",
        "Resource" : "${aws_sqs_queue.sqs_queue_policy_queue_test.arn}",
        "Condition" : {
          "ArnLike" : {
            "aws:SourceArn" : "${aws_s3_bucket.sqs_queue_policy_s3.arn}"
          }
        }
      }
    ]
  })
}

Steps to Reproduce

terraform apply

Debug Output

debug-pgp.log

Panic Output

No response

Important Factoids

Below are two snippets of code, the first one results in the timeout and the second one does not. AWS does successfully create the policy after a while and uses the default setting of "Version": "2008-10-17", but the AWS provider has difficulty processing that assumption. Explicitly providing a Version fixes the problem, but I'm not sure if enforcing a Version tag during validation is the right fix.

Timeout:

policy = jsonencode({
    "Statement" : [
      {
        "Sid" : "SQS-Queue-Access-Policy",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "s3.amazonaws.com"
        },
        "Action" : "SQS:SendMessage",
        "Resource" : "${aws_sqs_queue.sqs_queue_policy_queue_test.arn}",
        "Condition" : {
          "ArnLike" : {
            "aws:SourceArn" : "${aws_s3_bucket.sqs_queue_policy_s3.arn}"
          }
        }
      }
    ]
  })
}

No Timeout:

policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "SQS-Queue-Access-Policy",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "s3.amazonaws.com"
        },
        "Action" : "SQS:SendMessage",
        "Resource" : "${aws_sqs_queue.sqs_queue_policy_queue_test.arn}",
        "Condition" : {
          "ArnLike" : {
            "aws:SourceArn" : "${aws_s3_bucket.sqs_queue_policy_s3.arn}"
          }
        }
      }
    ]
  })
}

References

This issue has been reported a handful of times over the past 1-2 years (as far back as 3.7.*, I think), but I don't believe it's been fully addressed yet.

This comment was the smoking gun for me: https://github.com/hashicorp/terraform-provider-aws/issues/24046#issuecomment-1131913508

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[joberly]

I've found that using an aws_iam_policy_document for the policy never works even when adding the version parameter as well. The way I ended up having to workaround it was to use a inline policy string (including a "Version" key) for the policy parameter. If using the SQS module, don't use the create_queue_policy and related parameters, then just create the policy outside the module instantiation. Here's an example much like the comment from a similar issue here:

module "some_queue" {
  source  = "terraform-aws-modules/sqs/aws"

  create_queue_policy = false # this is the default
  # other parameters here
}

resource "aws_sqs_queue_policy" "some_queue" {
  queue_url = module.some_queue.queue_url
  policy    = <<-EOT
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "SomePolicySid",
          "Effect": "Allow",
          "Principal": {
            "Service": "someservice.amazonaws.com"
          },
          "Resource": "${module.some_queue.queue_arn}"
        }
      ]
    }
  EOT
}