awscc_sqs_queue_inline_policy resource fails on apply with Invalid Parameter Error

[rhhanda]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.5.5 on linux_amd64

• provider registry.terraform.io/hashicorp/aws v5.14.0
• provider registry.terraform.io/hashicorp/awscc v0.59.0

Affected Resource(s)

• awscc_sqs_queue_inline_policy

Terraform Configuration Files

provider.tf

terraform {
  required_version = ">= 1.0.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.9.0"
    }
    awscc = {
      source  = "hashicorp/awscc"
      version = ">= 0.25.0"
    }
  }
}

# Configure the AWS Provider
provider "awscc" {
  region = "us-west-2"
}

provider "aws" {
  region = "us-west-2"
}

sqs.tf

resource "awscc_sqs_queue" "terraform_awscc_queue" {
  queue_name                        = "terraform-awscc-queue-example"
  delay_seconds                     = 90
  maximum_message_size              = 2048
  message_retention_period          = 86400
  receive_message_wait_time_seconds = 10
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]

}

resource "aws_sns_topic" "example" {
  name = "example-sns-topic"
}

resource "awscc_sqs_queue_inline_policy" "test" {
  queue = awscc_sqs_queue.terraform_awscc_queue.id
  policy_document = {
    Version = "2012-10-17"
    Statement =jsonencode([
      {
        Sid      = "First",
        Effect   = "Allow",
        Action   = "sqs:SendMessage",
        Resource = awscc_sqs_queue.terraform_awscc_queue.arn,
        Condition = {
          ArnEquals = {
            "aws:SourceArn" = aws_sns_topic.example.arn
          }
        }
      }
    ])
  }
}

Expected Behavior

SQS Inline policy is created and attached to sqs queue.

Actual Behavior

AWSCC provider failed to create the policy resource with following error:

awscc_sqs_queue_inline_policy.test: Creating...
╷
│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with awscc_sqs_queue_inline_policy.test,
│   on main.tf line 18, in resource "awscc_sqs_queue_inline_policy" "test":
│   18: resource "awscc_sqs_queue_inline_policy" "test" {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid value for the parameter Policy. (Service: Sqs, Status Code: 400, Request ID:
│ b117df1a-70e4-512d-b4d8-827c98e2a09f). ErrorCode: InvalidRequest

Steps to Reproduce

1. terraform apply

Important Factoids

No

Possible Cause

Looking at the CloudTrail events

    "eventTime": "2023-08-28T17:56:59Z",
    "eventSource": "sqs.amazonaws.com",
    "eventName": "SetQueueAttributes",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "InvalidAttributeValue",
    "errorMessage": "Invalid value for the parameter Policy.",
    "requestParameters": {
            "attributes": {
                    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":\"[{\\\"Action\\\":\\\"sqs:*\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\",\\\"Resource\\\":\\\"*\\\",\\\"Sid\\\":\\\"Stmt1693245053186\\\"}]\"}"
            },
            "queueUrl": "https://sqs.us-west-2.amazonaws.com/xxxxx/terraform-awscc-queue-example"
    },

for the above Action from CloudControl API in the backed it is making a SetQueueAttributes API call which supports Policy as the acceptable request parameters but awcc provider is sending policy_document as the request parameter and henceforth resulting in invalid request.

References

• https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/sqs_queue_inline_policy#policy_document

• https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html#API_SetQueueAttributes_RequestParameters

• 0000

[wellsiau-aws]

relates to #509