S3 bucket with policy is always changed

[joshuaspence]

I have some Terraform code which looks like this (I have simplified it in an attempt to provide a MWE):

resource "aws_s3_bucket" "test" {
  bucket = "test-mzxdksdrdjkags"
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::test-mzxdksdrdjkags/*"
    }
  ]
}
EOF
}

Every time than I run terraform plan or terraform apply, changes are reported:

~ aws_s3_bucket.test
    policy: "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"arn:aws:s3:::test-mzxdksdrdjkags/*\",\"Sid\":\"\"}],\"Version\":\"2008-10-17\"}" => "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"arn:aws:s3:::test-mzxdksdrdjkags/*\"}],\"Version\":\"2008-10-17\"}"


Plan: 0 to add, 1 to change, 0 to destroy.

[Shruti29]

Not sure if this is a terraform related issue.

If you change your template file to
resource "aws_s3_bucket" "test" {
bucket = "test-mzxdksdrdjkags"
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
* "Sid":"",*
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-mzxdksdrdjkags/*"
}
]
}
EOF
}

Referred Bucket policy example: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
The SID value if empty is specified with a null string.

I dont see the issue after the above change.

[catsby]

Hello – As @Shruti29 points out, the empty "Sid":"" is necessary here. I believe it's this way if you were to create it via the web console as well.

Sorry for the trouble, but this looks like a policy formatting issue and not Terraform issue, so I'm going to close this. Let us know if you have other questions

[joshuaspence]

Even with "Sid": "" I still have the same issue.

[joshuaspence]

I think it's more than just "Sid": "", let me experiment.

[joshuaspence]

It seems that specifying actions as an array also causes issues:

resource "aws_s3_bucket" "test" {
  bucket = "test-mzxdksdrdjkags"
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::test-mzxdksdrdjkags/*"
    }
  ]
}
EOF
}

[l2ol33rt]

Im seeing a similar issue on v0.6.16:

resource "aws_s3_bucket" "mybucket" {
    bucket = "mybucket.com"
    acl = "public-read"
    policy = <<POLICY
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::mybucket.com/*"]
    }
  ]
}
POLICY
    website {
        index_document = "index.html"
    }
}

Output from a plan after its already been applied:

Path: plan.state

~ aws_s3_bucket.mybucket
    policy: "{\"Statement\":[{\"Action\":\"s3:GetObject\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"arn:aws:s3:::mybucket.com/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}" => "{\"Statement\":[{\"Action\":[\"s3:GetObject\"],\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":[\"arn:aws:s3:::mybucket.com/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}"

I originally had a sid and changed it to empty but that didnt seem to help.

Terraform v0.6.16

[jaygorrell]

This is a duplicate of #4948 for anyone trying to track it down.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.