[Bug]: `r/aws_iam_policy`: Malformed `Condition` prevents subsequent modifications

[jar-b]

Terraform Core Version

1.9.5

AWS Provider Version

5.72.1

Affected Resource(s)

• aws_iam_policy

Expected Behavior

When malformed policy content is configured, the first apply should fail. Reverting of fixing the content should result in a successful apply.

Actual Behavior

When malformed policy content is configured, the first apply fails (expected).

│ Error: updating IAM Policy (arn:aws:iam::727561393803:policy/policy_zd163007): operation error IAM: CreatePolicyVersion, https response error StatusCode: 400, RequestID: 273b745a-e51
c-49b7-bd12-1f08ee676a58, MalformedPolicyDocument: Syntax errors in policy

Then, all subsequent attempts to resolve the syntax error fail because the invalid JSON has been stored in state and cannot be parsed when checking equivalence with the remote policy content.

│ Error: while setting policy (), encountered: while checking equivalency of existing policy ({"Statement":[{"Action":["ec2:Describe*"],"Condition":{"ForAnyValue:StringLike":["aws:Mult
iFactorAuthAge"]},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}) and new policy ({"Statement":[{"Action":["ec2:Describe*"],"Effect":"Allow","Resource":"*"}],"Version":"2012
-10-17"}), encountered: parsing policy 1: parsing statement 1: 1 error(s) decoding:
│
│ * '[0].Condition[ForAnyValue:StringLike]' expected a map, got 'slice'

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {}

resource "aws_iam_policy" "policy" {
  name        = "policy_zd163007"
  path        = "/"
  description = "My test policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        # After successfully creating the policy, uncomment this malformed
        # condition and apply again, causing the unrecoverable state.
        # "Condition" : {
        #   "ForAnyValue:StringLike" : ["aws:MultiFactorAuthAge"]
        # }

        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

Steps to Reproduce

1. Apply the configuration above.
2. Uncomment the malformed Condition, apply. This should fail as expected.
3. Comment out the problematic Condition and run plan or apply. Observe failure while setting the policy argument.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Relates #39202

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.