Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Emit warnings on IAM policy creation when duplicate keys are configured #33026

Closed
breathingdust opened this issue Aug 15, 2023 · 3 comments · Fixed by #33570
Closed

[Enhancement]: Emit warnings on IAM policy creation when duplicate keys are configured #33026

breathingdust opened this issue Aug 15, 2023 · 3 comments · Fixed by #33570
Assignees
@jar-b
Labels
enhancement Requests to existing resources that expand the functionality or scope. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. proposal Proposes new design or functionality. service/iam Issues and PRs that pertain to the iam service.
Milestone
v5.19.0

Comments

@breathingdust
Copy link
Member

breathingdust commented Aug 15, 2023
edited by jar-b

Description

This enhancement proposal stems from this issue raised in Terraform Core where values in a map object can be squashed when duplicate keys are supplied. See the linked issue for a detailed discussion of the root causes and proposed solutions at the core level.

In the AWS provider we could potentially emit warnings when an IAM policy is configured with duplicate Condition keys, either within a raw JSON string or via the condition block of an aws_iam_policy_document data source. Because this scenario could lead to an overly permissive policy under certain conditions, these arguably these should be errors, but introducing errors would constitute a breaking change. We may introduce warnings at this time, and move to errors in the next major version.

This would need to be performed both on on the raw string as input for the aws_iam_role / aws_iam_policy / aws_iam_role_policy resources, as well as the more structured input of the aws_iam_policy_document. If the practitioner has used jsonencode() in their configuration, then the input would have already been squashed by the time the provider sees it, and no warning will be possible.

This behavior should also be thoroughly documented in the respective registry documentation, and potentially in the Developer Guide.

Affected Resource(s) and/or Data Source(s)

  • aws_iam_role
  • aws_iam_policy
  • aws_iam_policy_document
  • aws_iam_role_policy

Potential Terraform Configuration

No response

References

Would you like to implement a fix?

None
@breathingdust breathingdust added enhancement Requests to existing resources that expand the functionality or scope. proposal Proposes new design or functionality. labels Aug 15, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/iam Issues and PRs that pertain to the iam service. label Aug 15, 2023
@jar-b jar-b mentioned this issue Aug 17, 2023
Closed
@jar-b jar-b self-assigned this Aug 17, 2023
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Aug 17, 2023
This was referenced Aug 17, 2023
Closed
Merged
@jar-b jar-b mentioned this issue Sep 12, 2023
Merged
@jar-b jar-b mentioned this issue Sep 21, 2023
Merged
@github-actions github-actions bot added this to the v5.19.0 milestone Sep 26, 2023
@github-actions
Copy link

This functionality has been released in v5.19.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@jar-b jar-b mentioned this issue Oct 2, 2023
Open
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jar-b jar-b

Labels
enhancement Requests to existing resources that expand the functionality or scope. prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. proposal Proposes new design or functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
v5.19.0
2 participants
@breathingdust @jar-b