SQS policies need access to their own ARN

[mdevs5531]

Moving from thread: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/terraform-tool/Pw6Ffuw1Muc

SQS policies require the 'Resource' value to be set to their own ARN, which doesn't exist until after the SQS is created. Because of this it's not possible to create a policy attached to an SQS with Terraform, either with an inline policy using ${self.arn} or rendered from a template resource as both result in circular dependencies.

From @phinze "...from a brief look at the code it looks like we just need to avoid setting the Policy attribute during our call to CreateQueue, instead delaying it for a subsequent SetQueueAttributes call."

[jemmyw]

+1, this bit me today

[jemmyw]

Actually, it's possible to set the arn in the policy on creation using known data.

"Resource": "arn:aws:sqs:${var.region}:${var.account_id}:queue-name"

[mdevs5531]

That's similar to the workaround I'm using - however with that approach I still get a diff for the queue policy every time I run terraform plan.

[jemmyw]

@mdevs5531 I'm not sure that is related. I had a similar problem, and it appeared to be a whitespace or formatting issue. In the end I fixed it by copying the policy directly from the state file, so it looks like:

  policy = "{\"Version\":\"2012-10-17\",\"Id\":\"arn:aws:sqs:${var.region}:${var.account_id}:${element(split(",", var.stage_names), count.index)}-save-results/policy\",\"Statement\":[{\"Sid\":\"Sid1452335512675\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"SQS:*\",\"Resource\":\"arn:aws:sqs:${var.region}:${var.account_id}:${element(split(",", var.stage_names), count.index)}-save-results\",\"Condition\":{\"StringLike\":{\"aws:SourceArn\":\"arn:aws:sns:${var.region}:${var.account_id}:*\"}}}]}"

Harder to manage, but it does work.

[sp-ludovic-ivain]

-> #3549

[mrwilby]

Also bit me today.

[wsh]

+1 this is annoying me right now.

[rcousens]

@phinze if I had to submit a PR to address this, would you prefer 2 step operation or a second resource type for an SQS queue policy?

[devinsba]

For anyone who is looking for a quick workaround, we came up with the following. Obviously its not terribly clean to have it as a stack but it will at least preserve the dependency tree:

resource "aws_cloudformation_stack" "security" {
  name = "security-settings"
  template_body = <<STACK
{
  "Resources" : {
    "sqsPolicy": {
       "Type" : "AWS::SQS::QueuePolicy",
       "Properties" : {
          "PolicyDocument" : {
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                  "SQS:SendMessage",
                  "SQS:ReceiveMessage"
                ],
                "Resource": "${aws_sqs_queue.queue_resource.arn}"
              },
              {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "SQS:*",
                "Resource": "${aws_sqs_queue.queue_resource.arn}"
              }
            ]
          },
          "Queues" : [ "${aws_sqs_queue.queue_resource.id}" ]
       }
    }
  }
}
STACK
}

[conorgil]

I think this issue may be resolved by #8657 released in v0.7.3

[radeksimko]

Correct @conorgil aws_sqs_queue_policy was meant to address this problem.
Documentation is at https://www.terraform.io/docs/providers/aws/r/sqs_queue_policy.html

Do let us know if you have any issues with this new resource.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.