AWS SQS Policy: InvalidAttributeValue - Version 0.7.45 - very stuck.

[Lars Sommer]

Hello,

   I am trying to create an AWS IAM Policy to apply to a series of AWS queues so that instance A has access to queue A and B has access to B and so on. To this end, I have the following policy resource which I cannot get to created successfully:

References:

• https://www.terraform.io/docs/providers/aws/r/sqs_queue.html 
  
• Note that the queues are being created successfully - no issues there
• https://www.terraform.io/docs/providers/aws/r/sqs_queue_policy.html
  
• These policies never get created

resource "aws_sqs_queue" "vault_unseal" {

  count = "${var.vault_unseal_count}"

  name = "${var.org}-${var.env}-vault-unseal-${count.index}"

}

resource "aws_sqs_queue_policy" "vault_unseal" {

  count = "${var.vault_unseal_count}"

  queue_url = "${element(aws_sqs_queue.vault_unseal.*.id, count.index)}"

  policy = <<POLICY

{

  "Version": "2012-10-17",

  "Id": "Policy1461268019586",

  "Statement": [

    {

      "Sid": "VaultServers",

      "Effect": "Allow",

      "Principal": "*",

      "Action": "sqs:SendMessage",

      "Resource": {"AWS":"${element(aws_sqs_queue.vault_unseal.*.arn, count.index)}"}

      "Condition": {

        "ArnEquals": {

          "aws:SourceArn": {"AWS":"${aws_iam_role.vault_server.arn}"}

        }

      }

    },

    {

      "Sid": "VaultUnseal${count.index}"

      "Effect": "Allow",

      "Principal": "*",

      "Action": [

        "sqs:DeleteMessage",

        "sqs:ReceiveMessage"

      ],

      "Resource": {"AWS":"${element(aws_sqs_queue.vault_unseal.*.arn, count.index)}"}

      "Condition": {

        "ArnEquals": {

          "aws:SourceArn": {"AWS":"${element(aws_iam_role.vault_unseal.*.name, count.index)}"}

        }

      }

    }

  ]

}

POLICY

}

And lastly, an example of the resultant (poorly formatted for reading) policy from the output of terraform apply --target=aws_sqs_queue.vault_unseal

aws_sqs_queue_policy.vault_unseal.0: Creating...

  policy:    "" => "{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"Policy1461268019586\",\n  \"Statement\": [\n    {\n      \"Sid\": \"VaultServers\",\n      \"Effect\": \"Allow\",\n      \"Principal\": \"*\",\n      \"Action\": \"sqs:SendMessage\",\n      \"Resource\": {\"AWS\":\"arn:aws:sqs:us-west-2:(ACCOUNT REDACTED):lx-dev-ops-vault-unseal-0\"}\n      \"Condition\": {\n        \"ArnEquals\": {\n          \"aws:SourceArn\": {\"AWS\":\"arn:aws:iam::(ACCOUNT REDACTED):role/vault-server-us-west-2-dev-ops\"}\n        }\n      }\n    },\n    {\n      \"Sid\": \"VaultUnseal0\"\n      \"Effect\": \"Allow\",\n      \"Principal\": \"*\",\n      \"Action\": [\n        \"sqs:DeleteMessage\",\n        \"sqs:ReceiveMessage\"\n      ],\n      \"Resource\": {\"AWS\":\"arn:aws:sqs:us-west-2:(ACCOUNT REDACTED):lx-dev-ops-vault-unseal-0\"}\n      \"Condition\": {\n        \"ArnEquals\": {\n          \"aws:SourceArn\": {\"AWS\":\"vault-unseal-0-us-west-2-dev-ops\"}\n        }\n      }\n    }\n  ]\n}\n"

  queue_url: "" => "https://sqs.us-west-2.amazonaws.com/(ACCOUNT REDACTED)/lx-dev-ops-vault-unseal-0"

Two more are created, as appropriate, but the output is the same with 1 and 2 instead of 0.

[Lars Sommer]

Disregard- I had an SQS policy error that was found by manually generating a policy using their tool and the comparing that policy to my terraform code.