Then, all subsequent attempts to resolve the syntax error fail because the invalid JSON has been stored in state and cannot be parsed when checking equivalence with the remote policy content.
│ Error: while setting policy (), encountered: while checking equivalency of existing policy ({"Statement":[{"Action":["ec2:Describe*"],"Condition":{"ForAnyValue:StringLike":["aws:Mult
iFactorAuthAge"]},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}) and new policy ({"Statement":[{"Action":["ec2:Describe*"],"Effect":"Allow","Resource":"*"}],"Version":"2012
-10-17"}), encountered: parsing policy 1: parsing statement 1: 1 error(s) decoding:
│
│ * '[0].Condition[ForAnyValue:StringLike]' expected a map, got 'slice'
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Configure the AWS Provider
provider "aws" {}
resource "aws_iam_policy" "policy" {
name = "policy_zd163007"
path = "/"
description = "My test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
# After successfully creating the policy, uncomment this malformed
# condition and apply again, causing the unrecoverable state.
# "Condition" : {
# "ForAnyValue:StringLike" : ["aws:MultiFactorAuthAge"]
# }
Effect = "Allow"
Resource = "*"
},
]
})
}
Steps to Reproduce
Apply the configuration above.
Uncomment the malformed Condition, apply. This should fail as expected.
Comment out the problematic Condition and run plan or apply. Observe failure while setting the policy argument.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.9.5
AWS Provider Version
5.72.1
Affected Resource(s)
aws_iam_policy
Expected Behavior
When malformed policy content is configured, the first apply should fail. Reverting of fixing the content should result in a successful apply.
Actual Behavior
When malformed policy content is configured, the first apply fails (expected).
Then, all subsequent attempts to resolve the syntax error fail because the invalid JSON has been stored in state and cannot be parsed when checking equivalence with the remote policy content.
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Steps to Reproduce
Condition
, apply. This should fail as expected.Condition
and runplan
orapply
. Observe failure while setting thepolicy
argument.Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
Relates #39202
Would you like to implement a fix?
None