[Bug]: `aws_iam_role_policy` removes `:*` from resource

[IskanderNovena]

Terraform Core Version

1.9.7

AWS Provider Version

5.75.0

Affected Resource(s)

• aws_iam_role_policy

Expected Behavior

When providing a policy with a wildcard (in this case :*), the wildcard should also be included in the policy. This is tested with both jsonencode as well as HEREDOC.

Code:

resource "aws_iam_role_policy" "scheduler_execution" {
  name = "LambdaExecutionPolicy"
  role = aws_iam_role.scheduler_execution_role.name
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Action" : "logs:CreateLogGroup",
        "Resource" : "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
      },
      {
        "Effect" : "Allow",
        "Action" : [
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource" : [
          aws_cloudwatch_log_group.lamda_scheduler.arn,
        ]
      }
    ]
  })
}

Actual Behavior

After applying, the resource is written as `"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}"

After manually changing it in the console and running a terraform plan, the following is shown:

  ~ resource "aws_iam_role_policy" "scheduler_execution" {
        id          = "lambda-execution-role:LambdaExecutionPolicy"
        name        = "LambdaExecutionPolicy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action   = "logs:CreateLogGroup"
                        Effect   = "Allow"
                        Resource = "arn:aws:logs:eu-central-1:000000000000:*"
                    },
                  ~ {
                      ~ Resource = [
                          ~ "arn:aws:logs:eu-central-1: 000000000000:log-group:/aws/lambda/loggroup:*" -> "arn:aws:logs:eu-central-1: 000000000000:log-group:/aws/lambda/loggroup",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudwatch_log_group" "lamda_scheduler" {
  name              = "/aws/lambda/loggroup"
  retention_in_days = 14
  lifecycle {
    prevent_destroy = false
  }
}

resource "aws_iam_role" "scheduler_execution_role" {
  name = "lambda-execution-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      },
    ]
  })
}

# Lambda execution role policy
resource "aws_iam_role_policy" "scheduler_execution" {
  name = "LambdaExecutionPolicy"
  role = aws_iam_role.scheduler_execution_role.name
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Action" : "logs:CreateLogGroup",
        "Resource" : "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
      },
      {
        "Effect" : "Allow",
        "Action" : [
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource" : [
          aws_cloudwatch_log_group.lamda_scheduler.arn,
        ]
      }
    ]
  })
}

Steps to Reproduce

Add the resources listed above, run a terraform plan to see that the :* isn't included in the policy.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[IskanderNovena]

Okay, so double/tripple-checking where I put the :* actually took me another go before realising I was comparing the wrong part of the policy 🤦

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.