[Enhancement]: Emit warnings on IAM policy creation when duplicate keys are configured #33026
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
prioritized
Part of the maintainer teams immediate focus. To be addressed within the current quarter.
proposal
Proposes new design or functionality.
service/iam
Issues and PRs that pertain to the iam service.
Milestone
Description
This enhancement proposal stems from this issue raised in Terraform Core where values in a map object can be squashed when duplicate keys are supplied. See the linked issue for a detailed discussion of the root causes and proposed solutions at the core level.
In the AWS provider we could potentially emit warnings when an IAM policy is configured with duplicate Condition keys, either within a raw JSON string or via the
condition
block of anaws_iam_policy_document
data source. Because this scenario could lead to an overly permissive policy under certain conditions, these arguably these should be errors, but introducing errors would constitute a breaking change. We may introduce warnings at this time, and move to errors in the next major version.This would need to be performed both on on the raw string as input for the
aws_iam_role
/aws_iam_policy
/aws_iam_role_policy
resources, as well as the more structured input of theaws_iam_policy_document
. If the practitioner has usedjsonencode()
in their configuration, then the input would have already been squashed by the time the provider sees it, and no warning will be possible.This behavior should also be thoroughly documented in the respective registry documentation, and potentially in the Developer Guide.
Affected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
No response
References
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: