TF 0.12 data.aws_iam_policy_document still contains unknown values during apply

[GreenyMcDuff]

Terraform Version

v0.12.6

Terraform Configuration Files

locals {
  bucket_name_prefix = "${var.service_name}-${var.account_id}"
}

module "app_logs_bucket" {
  source = "../modules-generic/s3-versioned-bucket/"
  
  create      = var.create
  name        = "${local.bucket_name_prefix}-app-logs"
  kms_key_arn = data.terraform_remote_state.this.outputs.kms_key_arn
}

resource "aws_s3_bucket_policy" "logs" {
  count  = var.create ? 1 : 0
  bucket = module.app_logs_bucket[0].name
  policy = data.aws_iam_policy_document.app_logs_bucket[0].json

  depends_on = [module.app_logs_bucket]
}

data "aws_iam_policy_document" "app_logs_bucket" {
  count = var.create ? 1 : 0

  statement {
    sid = "Admin access"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${var.account_id}:root"]
    }

    resources = [
      "arn:aws:s3:::${module.app_logs_bucket[0].name}",
      "arn:aws:s3:::${module.app_logs_bucket[0].name}/*"
    ]

    actions = ["s3:*"]
  }
}

// s3-versioned-bucket module code

resource "aws_s3_bucket" "this" {
  count  = var.create ? 1 : 0
  bucket = var.name
  acl    = "private"
  
  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = var.kms_key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  lifecycle_rule {
    prefix  = "*"
    enabled = true

    noncurrent_version_expiration {
      days = var.version_expiration_days
    }
  }
}

resource "aws_s3_bucket_public_access_block" "this" {
  count  = var.create ? 1 : 0
  
  bucket = aws_s3_bucket.this[0].id

  block_public_acls       = var.block_public_acls
  block_public_policy     = var.block_public_policy
  ignore_public_acls      = var.ignore_public_acls
  restrict_public_buckets = var.restrict_public_buckets
}

Expected Behavior

The Bucket Policy should have been created and attached to the S3 Bucket.

Actual Behavior

Terraform throws the following error on apply

Error: configuration for data.aws_iam_policy_document.app_logs_bucket[0] still contains unknown values during apply (this is a bug in Terraform; please report it!)

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform apply

Additional Context

This worked with v0.11.14

Hardcoding the bucket name in the aws_s3_bucket_policy resource and the aws_iam_policy_document data resolves the issue:

resource "aws_s3_bucket_policy" "logs" {
  count  = var.create ? 1 : 0
  bucket = "service-111111111111-app-logs" #module.app_logs_bucket[0].name
  policy = data.aws_iam_policy_document.app_logs_bucket[0].json

  depends_on = [module.app_logs_bucket]
}

data "aws_iam_policy_document" "app_logs_bucket" {
  count = var.create ? 1 : 0

  statement {
    sid = "Admin access"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::111111111111:root"] #["arn:aws:iam::${var.account_id}:root"]
    }

    resources = [
      "arn:aws:s3:::service-111111111111-app-logs",
      "arn:aws:s3:::service-111111111111-app-logs/*"
    ]

    # resources = [
    #   "arn:aws:s3:::${module.app_logs_bucket[0].name}",
    #   "arn:aws:s3:::${module.app_logs_bucket[0].name}/*"
    # ]

    actions = ["s3:*"]
  }
}

References

Possibly related to

• TF 0.12: template_file still contains unknown values during apply #21455

[ghost]

Same issue here.

Terraform apply:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.data_dev_bucket will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "data_dev_bucket"  {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "*",
            ]
          + effect    = "Deny"
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "Bool"
              + values   = [
                  + "false",
                ]
              + variable = "aws:SecureTransport"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "*"
            }
        }
    }

Plan: 0 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "prod-dan"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Error: configuration for data.aws_iam_policy_document.data_dev_bucket still contains unknown values during apply (this is a bug in Terraform; please report it!)


Releasing state lock. This may take a few moments...

My tf template is even simpler, the only dynamic resource is the resource reference:

data "aws_iam_policy_document" "data_dev_bucket" {
  # Only allow TLS communication with the bucket contents
  statement {
    effect = "Deny"
    actions = [
      "*",
    ]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    resources = [
      "${aws_s3_bucket.data_dev[0].arn}/*",
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}

[nozaq]

Seems terraform returns ... still contains unknown values during apply error when aws_iam_policy_document contains an array element expression with the invalid index.

I was able to reproduce this error with the following code.

provider "aws" {
  region = "us-east-1"
}

resource "null_resource" "foo" {
  count = 0
}

data "aws_iam_policy_document" "bar" {
  statement {
    actions   = ["*"]
    resources = ["${null_resource.foo[0].id}"]
  }
}

null_resource.foo[0] does not exist since its count value is 0.
terraform returns Error: configuration for data.aws_iam_policy_document.bar still contains unknown values during apply (this is a bug in Terraform; please report it!) when applying it. terraform apply succeeds when count parameter in foo resource is set to 1.
The error message is a bit misleading though, the reason it fails to applying the above code is not due to unknown values, but null_resource.foo[0] does not exist.

Not sure it's the root cause of the issue reported here though, I guess it's worthwhile to check if there exist any error in expressions used in data.aws_iam_policy_document?

[rlees85]

Still not working for me either

###############################################################################

data "template_file" "samba_server_setup_script" {
  template = file(format("%s/samba-server-setup.sh.tpl", local.tools))

  vars = {
    "region"      = var.region
    "env_name"    = var.env_name
    "vpc_name"    = var.vpc_name
    "user_name"   = var.samba_user_name
    "efs_mount"   = var.samba_efs_mountpoint
    "extra_init"  = var.client
    "efs_address" = module.commerce_efs.route53_records_name
    "stream_name" = var.stream_name
  }
}

###############################################################################

Using the output of a module as an input to this data source still does not work, was absolutely fine on Terraform 0.11

edit: oddly that output route53_records_name is a join on a splat of one value.

[jbardin]

Thanks @nozaq, that is indeed the root cause in this situation.
It turns out the data source has some extra validation that is catching the configuration error, though it is unfortunately not mapped back to a useful configuration error and reported as a terraform bug.

@dsnellgrove, since you seem to have the next smallest configuration, can you make a more complete example to confirm if aws_s3_bucket.data_dev[0].arn is a valid reference in your config?

[jbardin]

Closed by #22846

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.