[Bug]: Value Conversion Error with aws_iam_role_policy_attachments_exclusive and null values for policy_arns

[matthewbarreiro]

Terraform Core Version

1.9.8

AWS Provider Version

v5.72.0

Affected Resource(s)

aws_iam_role_policy_attachments_exclusive

Expected Behavior

If the policy_arns field should support null values (e.g. for use-cases such as this), then:

• No Value Conversion error should be output
• The null should be removed / handled / ignored at apply

Otherwise:

• No Value Conversion error should be output
• A more useful error should be output

Actual Behavior

I get a Value Conversion Error on terraform apply.

Relevant Error/Panic Output Snippet

│ Error: Value Conversion Error
│ 
│   with aws_iam_role_policy_attachments_exclusive.broken_example,
│   on main.tf line 55, in resource "aws_iam_role_policy_attachments_exclusive" "broken_example":
│   55: resource "aws_iam_role_policy_attachments_exclusive" "broken_example" {
│ 
│ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:
│ 
│ Received null value, however the target type cannot handle null values. Use the corresponding `types` package type, a pointer type or a custom type that handles null values.
│ 
│ Path: [Value(<null>)]
│ Target Type: string
│ Suggested `types` Type: basetypes.StringValue
│ Suggested Pointer Type: *string

Terraform Configuration Files

terraform {
  required_version = ">= 1.3.6"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.72.0"
    }
  }
}

locals {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}

variable "attach_specific_policy" {
  type    = bool
  default = false
}

resource "aws_iam_role" "working" {
  name               = "RoleToDemonstrateSuccess"
  assume_role_policy = local.assume_role_policy
}

resource "aws_iam_role" "broken" {
  name               = "RoleToDemonstrateFail"
  assume_role_policy = local.assume_role_policy
}

resource "aws_iam_role_policy_attachments_exclusive" "working_example" {
  role_name = aws_iam_role.working.name
  policy_arns = flatten([
    [
      "arn:aws:iam::aws:policy/AmazonS3FullAccess",
      "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    ],
    var.attach_specific_policy == true ? ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] : [],
  ])
}

resource "aws_iam_role_policy_attachments_exclusive" "broken_example" {
  role_name = aws_iam_role.broken.name
  policy_arns = [
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    var.attach_specific_policy == true ? "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" : null,
  ]
}

Steps to Reproduce

Run terraform init && terraform apply

Debug Output

Full debug output: debug_output.md

Output with Debug Logging Disabled:

 ➜ ☁ sbx01 bugreport git:(main) ✗ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 5.72.0"...
- Installing hashicorp/aws v5.72.1...
- Installed hashicorp/aws v5.72.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

 ➜ ☁ sbx01 bugreport git:(main) ✗ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role.broken will be created
  + resource "aws_iam_role" "broken" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "RoleToDemonstrateFail"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

  # aws_iam_role.working will be created
  + resource "aws_iam_role" "working" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "RoleToDemonstrateSuccess"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

  # aws_iam_role_policy_attachments_exclusive.broken_example will be created
  + resource "aws_iam_role_policy_attachments_exclusive" "broken_example" {
      + policy_arns = [
          + "arn:aws:iam::aws:policy/AmazonS3FullAccess",
          + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
          + null,
        ]
      + role_name   = "RoleToDemonstrateFail"
    }

  # aws_iam_role_policy_attachments_exclusive.working_example will be created
  + resource "aws_iam_role_policy_attachments_exclusive" "working_example" {
      + policy_arns = [
          + "arn:aws:iam::aws:policy/AmazonS3FullAccess",
          + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
        ]
      + role_name   = "RoleToDemonstrateSuccess"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_iam_role.broken: Creating...
aws_iam_role.working: Creating...
aws_iam_role.broken: Creation complete after 0s [id=RoleToDemonstrateFail]
aws_iam_role_policy_attachments_exclusive.broken_example: Creating...
aws_iam_role.working: Creation complete after 0s [id=RoleToDemonstrateSuccess]
aws_iam_role_policy_attachments_exclusive.working_example: Creating...
aws_iam_role_policy_attachments_exclusive.working_example: Creation complete after 1s
╷
│ Error: Value Conversion Error
│ 
│   with aws_iam_role_policy_attachments_exclusive.broken_example,
│   on main.tf line 53, in resource "aws_iam_role_policy_attachments_exclusive" "broken_example":
│   53: resource "aws_iam_role_policy_attachments_exclusive" "broken_example" {
│ 
│ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:
│ 
│ Received null value, however the target type cannot handle null values. Use the corresponding `types` package type, a pointer type or a custom type that handles null values.
│ 
│ Path: [Value(<null>)]
│ Target Type: string
│ Suggested `types` Type: basetypes.StringValue
│ Suggested Pointer Type: *string
╵

Panic Output

No response

Important Factoids

It's possible this isn't supposed to work like this at all, though I still feel like the value conversion error should be handled regardless.

Side note: using "" instead of null for the right side of the conditional does not work either.

 var.attach_specific_policy == true ? "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" : "",

However the AWS SDK returns an error for this case:

│ Error: creating AWS IAM (Identity & Access Management) Role Policy Attachments Exclusive ("RoleToDemonstrateFail01"): attaching IAM Policy () to IAM Role (RoleToDemonstrateFail01): operation error IAM: AttachRolePolicy, https response error StatusCode: 400, RequestID: <removed>, api error ValidationError: 1 validation error detected: Value '' at 'policyArn' failed to satisfy constraint: Member must have length greater than or equal to 20

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dimaman2001]

Why not conditionally remove the null value with a for statement?

[matthewbarreiro]

I realize this may be unclear from my original issue - there are workarounds to achieve my desired behavior, such as my working_example or using a for statement.

But the error I received from Terraform explicitly said:

This is always an error in the provider. Please report the following to the provider developer:

And I figured if I didn't report it now, someone else would find it eventually. So I opened an issue.

[justinretzolk]

Hey @matthewbarreiro 👋 Thank you for taking the time to raise this! While I agree that there are definitely workarounds (outside of previous suggestions, compact() comes to mind), I also agree that with Terraform asking to report the error, this should be fixed more completely. With that in mind, I'll leave this open so that we can do that.

[MS99-9]

Is anyone working on this issue? I want to try fixing it cc @justinretzolk

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.76.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.