Re-applying object storage policy fails on encoded document values

[back-2-95]

I have following which will apply fine:

resource "upcloud_managed_object_storage_policy" "default" {
  name         = "mybucket-write-only-policy"
  description  = "Policy to allow write-only access to the bucket mybucket"
  document     = urlencode("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:PutObject\"],\"Resource\":\"arn:aws:s3:::mybucket/*\",\"Effect\":\"Allow\",\"Sid\":\"ObjectOperations\"}]}")
  service_uuid = upcloud_managed_object_storage.default.id
}

It will create following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::mybucket/*",
      "Effect": "Allow",
      "Sid": "ObjectOperations"
    }
  ]
}

BUT re-applying the same, will result with "must be replaced and errors":

  # module.backups.upcloud_managed_object_storage_policy.default["mybucket"] must be replaced
-/+ resource "upcloud_managed_object_storage_policy" "default" {
      ~ arn                = "urn:ecs:iam::128e91db94dd4ecba14f51e564128475:policy/mybucket-write-only-policy" -> (known after apply)
      ~ attachment_count   = 0 -> (known after apply)
      ~ created_at         = "2024-06-11 08:41:10 +0000 UTC" -> (known after apply)
      ~ default_version_id = "v1" -> (known after apply)
      ~ document           = "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22s3%3APutObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3A3Amybucket%5C%2F*%22%2C%22Effect%22%3A%22Allow%22%2C%22Sid%22%3A%22ObjectOperations%22%7D%5D%7D" -> "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22s3%3APutObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Amybucket%2F%2A%22%2C%22Effect%22%3A%22Allow%22%2C%22Sid%22%3A%22ObjectOperations%22%7D%5D%7D" # forces replacement
      ~ id                 = "128e91db-94dd-4ecb-a14f-51e564128475/mybucket-write-only-policy" -> (known after apply)
        name               = "mybucket-write-only-policy"
      ~ system             = false -> (known after apply)
      ~ updated_at         = "2024-06-11 08:41:10 +0000 UTC" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

So the encoded string does not match anymore near the /*:

%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22s3%3APutObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3A3Amybucket%5C%2F*%22%2C%22Effect%22%3A%22Allow%22%2C%22Sid%22%3A%22ObjectOperations%22%7D%5D%7D
vs
%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22s3%3APutObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Amybucket%2F%2A%22%2C%22Effect%22%3A%22Allow%22%2C%22Sid%22%3A%22ObjectOperations%22%7D%5D%7D

[villevsv-upcloud]

Hello and thank you for reporting the issue.

We will investigate this and come back with more info.

In the meanwhile, you could try mitigating the problem by adding a lifecycle block to the policy resource. For example:

resource "upcloud_managed_object_storage_policy" "default" {
...
  lifecycle {
    ignore_changes = [document]
  }
...
}

[back-2-95]

Thx, this mitigation works. I'll follow the issue.