CloudFormation schema properties of type `object` with no nested properties are JSON strings

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Description

The Terraform schema code generator currently handles CFN properties of type object with no sub-properties as a Terraform TypeMap: https://github.com/hashicorp/terraform-provider-awscc/blob/7f1d724fa0a081556fd48fcfa4d6c2a65ce8ae1a/internal/provider/generators/shared/codegen/emitter.go#L503-L512

In actuality, all resources which declare such properties are expecting JSON strings ({"key": "value", ...}). Modify the code generator and maybe runtime handling?

https://github.com/hashicorp/terraform-provider-awscc/blob/7f1d724fa0a081556fd48fcfa4d6c2a65ce8ae1a/internal/generic/translate.go#L223-L233

https://github.com/hashicorp/terraform-provider-awscc/blob/96c7ab7e79afe69fd4afaf15fe8d437989671967/internal/generic/translate.go#L127-L135

Relates: https://github.com/hashicorp/terraform-provider-awscc/issues/509.

[ewbankkit]

Blindly changing this affects these attributes:

• awscc_backup_plan.backup_plan.advance_backup_settings.backup_options
• awscc_codeartifact_domain.permissions_policy_document
• awscc_codeartifact_repository.permissions_policy_document
• awscc_codestarnotifications_notification_rule.tags
• awscc_vpc_endpoint.policy_document
• awscc_ecr_registry_policy.policy_text
• awscc_efs_file_system.file_system_policy
• awscc_eks_nodegroup.labels
• awscc_eks_nodegroup.tags
• awscc_events_archive.event_pattern
• awscc_eventschemas_registry_policy.policy
• awscc_finspace_environment.federation_parameters.attribute_map
• awscc_lex_resource_policy.policy
• awscc_memorydb_parameter_group.parameters
• awscc_mwaa_environment.airflow_configuration_options
• awscc_mwaa_environment.tags
• awscc_pinpoint_in_app_template.custom_config
• awscc_pinpoint_in_app_template.tags
• awscc_s3_access_point.policy
• awscc_s3_multi_region_access_point_policy.policy
• awscc_s3_storage_lens.storage_lens_configuration.data_export.s3_bucket_destination.encryption.sses3
• awscc_s3objectlambda_access_point_policy.policy_document
• awscc_s3outposts_access_point.policy
• awscc_s3outposts_bucket_policy.policy_document
• awscc_servicecatalogappregistry_attribute_group.attributes
• awscc_stepfunctions_state_machine.definition
• awscc_wafv2_logging_configuration.redacted_fields.json_body.match_pattern
• awscc_wafv2_logging_configuration.redacted_fields.method
• awscc_wafv2_logging_configuration.redacted_fields.query_string
• awscc_wafv2_logging_configuration.redacted_fields.uri_path

Spot-checking some of the non-obvious ones:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-loggingconfiguration-fieldtomatch.html
• https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_SSES3.html

suggests that this change makes sense.

[ewbankkit]

Naive implementation leads to:

│ Error: AWS SDK Go Service Operation Unsuccessful
│ 
│   with awscc_s3_access_point.test,
│   on main.tf line 77, in resource "awscc_s3_access_point" "test":
│   77: resource "awscc_s3_access_point" "test" {
│ 
│ Calling Cloud Control API service CreateResource operation returned: operation error CloudControl: CreateResource, https response error
│ StatusCode: 400, RequestID: 20810c35-6eb2-40b6-b0f4-4abc5bacad21, api error ValidationException: Model validation failed (#/Policy: expected
│ type: JSONObject, found: String)

"Policy": {"Version": "2008-10-17", ... } vs. "Policy": "{\"Version\": \"2008-10-16\", ...}".

This can be mitigated by handling the special case of attributes of type JSONString in the generic Terraform to Cloud Control translator (internal/generic/translate.go) where the value will get marshalled as map[string]interface{}, not string.

[ewbankkit]

Currently a solution to this is blocked until https://github.com/hashicorp/terraform-plugin-framework/pull/178 has been implemented in the Framework, scheduled for v1.0.0. Without this enhancement terraform plan (resource Read) will always show a diff.

[ewbankkit]

https://github.com/hashicorp/terraform-provider-awscc/pull/537 (and the use of jsonencode(jsondecode(...)) in configuration) addresses this just for the AWS::NetworkManager::CoreNetwork.PolicyDocument special case as a breaking change (https://github.com/hashicorp/terraform-provider-awscc/issues/550) was introduced for this property.

[kadrach]

Semantic equality is now supported

See also https://github.com/hashicorp/terraform-plugin-framework/issues/803