1

i try to create sqs queue and attach access policy to it, The policy is of type "data" - no actual resource is created , its just attached to the newly created sqs queue.

╷
│ Error: Cycle: data.aws_iam_policy_document.sqs_vote_policy, aws_sqs_queue.sqs_vote
│

the tf code:

resource "aws_sqs_queue" "sqs_vote" {
  name                      = "sqs-erjan"
  delay_seconds             = 0
  message_retention_seconds = 86400
  receive_wait_time_seconds = 0
  policy                    = data.aws_iam_policy_document.sqs_vote_policy.json



}


data "aws_iam_policy_document" "sqs_vote_policy" {
  policy_id = "__default_policy_ID"

  statement {
    sid       = "__console_sub_0"
    actions   = ["SQS:SendMessage"]
    resources = [aws_sqs_queue.sqs_vote.arn]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    effect = "Allow"

    condition {
      test     = "ArnLike"
      variable = "AWS:SourceArn"

      values = [
        aws_sns_topic.vote_sns.arn
      ]
    }

  }

  statement {
    sid       = "__owner_statement"
    actions   = ["SQS:*"]
    resources = [aws_sqs_queue.sqs_vote.arn]
    principals {
      type        = "arn:aws:iam::025416187662:root"
      identifiers = ["*"]
    }
    effect = "Allow"

  }

  # i put depends on to make sure it runs first - but it still gives cycle error
  depends_on = [
    aws_sqs_queue.sqs_vote,aws_sns_topic.vote_sns
  ]

}

how to fix it?

ERJAN
  • 23,696
  • 23
  • 72
  • 146
  • 1
    Use a separate queue policy resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy currently your queue needs the data and the data needs the queue => cycle. – luk2302 Jan 21 '23 at 16:10

1 Answers1

3

Change aws_sqs_queue to:

resource "aws_sqs_queue" "sqs_vote" {
  name                      = "sqs-erjan"
  delay_seconds             = 0
  message_retention_seconds = 86400
  receive_wait_time_seconds = 0
}

and use aws_sqs_queue_policy to attach the policy to the queue:

resource "aws_sqs_queue_policy" "test" {
  queue_url = aws_sqs_queue.sqs_vote.id
  policy = data.aws_iam_policy_document.sqs_vote_policy.json
}
Paolo
  • 21,270
  • 6
  • 38
  • 69
  • thx now another issue arise. it says something wrong with policy attrs : setting SQS Queue (https://sqs.us-east-2.amazonaws.com/025416187662/sqs-erjan) attribute (Policy): InvalidAttributeValue: Invalid value for the parameter Policy. – ERJAN Jan 21 '23 at 18:28
  • but it does not specify the value! – ERJAN Jan 21 '23 at 18:29