SQS policy with self value doesn't work

368 views
Skip to first unread message

Roberto Chessa

unread,
Nov 12, 2015, 5:25:36 PM11/12/15
to Terraform
Hi all ,

I've tried to setup a SQS policy in this way 

resource "aws_sqs_queue" "transcoding_queue" {
  name = "${lookup(var.aws_tr_queue_name,var.aws_region)}"
  policy=<<EOF
{
 "Version": "2008-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
    "AWS":"*"
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "${self.arn}",
   "Condition": {
      "ArnLike": {
      "aws:SourceArn": "arn:aws:s3:*:*:${lookup(var.aws_wz_s3,var.aws_region)}"
    }
   }
  }
 ]
}
EOF
}


and this is the error message:

* resource 'aws_sqs_queue.transcoding_queue' config: cannot contain self-reference self.arn

there is another way to do this ?

r.



Michael Sokolsky

unread,
Dec 11, 2015, 3:49:29 PM12/11/15
to Terraform
Roberto,

I'm having the same problem.  Has anyone gotten this to work?

SQS attached policies use the queue's own ARN as the Resource, Terraform seems to try to create the queue and the policy in a single step, rather than allow a dependency (i.e. create_queue_policy depends_on create_queue) which seems like it would require the policy to be another resource.  Hopefully I'm missing something or this is a fundamental problem with the implementation of sqs policies in Terraform.  For now I'm creating the policies with an empty Resource string and manually updating them from the console.

An interesting side note - if you enter a SQS policy directly in the web interface, if you leave the Resource string blank or put something other than the correct ARN in there, it seems to automatically update the Resource value to be the correct ARN.  However when created via Terraform it leaves the empty Resource value intact.

Cheers,
Mike

Paul Hinze

unread,
Dec 15, 2015, 4:53:37 PM12/15/15
to terrafo...@googlegroups.com
Hey folks,

This sounds reportable as a GitHub issue - from a brief look at the code it looks like we just need to avoid setting the Policy attribute during our call to CreateQueue, instead delaying it for a subsequent SetQueueAttributes call.

Paul

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9ea5ad6e-ef94-4792-840f-f4e31c00e6c6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages