"terraform refresh" not picking up changes to policy text about terraform-provider-aws HOT 7 CLOSED

This comment was originally opened by @mroark1m as hashicorp/terraform#3517 (comment). It was migrated here as part of the provider split. The original comment is below.

I can confirm this issue, seeing the same thing.

from terraform-provider-aws.

This comment was originally opened by @mattpminer as hashicorp/terraform#3517 (comment). It was migrated here as part of the provider split. The original comment is below.

I can confirm as well.

from terraform-provider-aws.

This comment was originally opened by @jgross206 as hashicorp/terraform#3517 (comment). It was migrated here as part of the provider split. The original comment is below.

In fact, this issue is even worse. If a "terraform apply" of a modified AWS policy fails

(e.g. with

• aws_iam_policy.datadog: Error updating IAM policy [REDACTED]: MalformedPolicyDocument: Syntax errors in policy.
  status code: 400, request id: [REDACTED]
  )

Then subsequent "terraform plan" will say "No changes. Infrastructure is up-to-date." even though the infrastructure is decidedly not up-to-date.

from terraform-provider-aws.

This comment was originally opened by @Ehekatl as hashicorp/terraform#3517 (comment). It was migrated here as part of the provider split. The original comment is below.

confirm this problem as well
I have two s3 policy and one never change, but another one change every time as mentioned in #4948
how could it be...

from terraform-provider-aws.

I no longer see this for aws_iam_policy behavior in the latest version of the provider.
I used this:

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

Went into Console and changed "Allow" to "Deny", then did a terraform plan. Here is my output:

~ aws_iam_policy.policy
    policy: "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Action\": [\n                \"ec2:Describe*\"\n            ],\n            \"Effect\": \"Deny\",\n            \"Resource\": \"*\"\n        }\n    ]\n}" => "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"ec2:Describe*\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n"

It wants to change "Deny" back to "Allow". And just to make sure there isn't any diffing problem here, I change my tf conf to say "Deny" instead of "Allow" and the terraform plan comes back clean.

If I'm not mistaken, I believe it was fixed by @tomwilkie when they implemented the aws_iam_policy import functionality here: hashicorp/terraform#9398 (comment). In that PR, the code starts taking the policy version into account and reading the policy back from AWS, which is the reason I think the diff wasn't getting picked up originally.

I believe this also addresses @jgross206 because I can't seem to repro it.
As for @Ehekatl's comment, if it still exists, then it should be reported in a different issue, since it doesn't use the same terraform resource.

from terraform-provider-aws.

Hi everyone,
@artburkart is right - I just verified this issue doesn't exist anymore (i.e. was fixed) in the latest provider version. It's very likely it was fixed a while back, so please try upgrading and let us know if the problem persists.

With that I'm closing this issue.
Thanks for reporting it.

from terraform-provider-aws.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

from terraform-provider-aws.