[Bug]: SID validation at plan time is invalidly applied to ALL policies

[JacobAllenAbkes]

Terraform Core Version

1.7

AWS Provider Version

5.82

Affected Resource(s)

aws_iam_policy_document

Expected Behavior

We should not blanket apply plan time validation against the SID because each service may have it's own policies on allowed characters. This is a breaking change.

Actual Behavior

We blanket apply the plan time validation against the SID.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_kms_key" "name" {
  description         = "something"
  policy              = data.aws_iam_policy_document.name.json
}


data "aws_iam_policy_document" "name" {
  version                 = "2012-10-17"

  statement {
    sid    = "Allow spaces"
    effect = "Allow"
    actions = [
      "kms:Decrypt"
    ]
    resources = ["*"]
  }
}

Steps to Reproduce

Create an IAM policy document resource, have the SID include spaces

Attach the policy as a KMS policy

Debug Output

│ with aws_iam_policy_document.name,
│ on file line X, in data "aws_iam_policy_document" "name":
│ line#: sid = "Allow spaces"

Panic Output

No response

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[faleon]

Who let the intern push to production?

[asvinours]

  │ Error: invalid value for statement.0.sid (must only include alphanumeric characters)
  │ 
  │   with data.aws_iam_policy_document.elb_access_logs_delivery,
  │   on load_balancer.tf line 70, in data "aws_iam_policy_document" "elb_access_logs_delivery":
  │   70:     sid       = "ELBNewerRegions"

Not too sure why this is considered invalid 🤔

[faleon]

@asvinours react with a thumbs up to OP please to help get this escalated - #40639 (comment)

[ewbankkit]

Relates #40562.

[tobiasbueschel]

We've encountered the same issue just now, which blocked our deployments as we have some older SIDs with non-alphanumeric names.

For now, we're using the following workaround, hope this helps anyone who might face the same issue:

terraform {
  required_version = ">= 1.0"

  required_providers {
    aws = {
      source = "hashicorp/aws"
      # TODO: this is temporary to fix the following error, we should eventually fix our SID to make them alphanumeric 
      # https://github.com/hashicorp/terraform-provider-aws/issues/40639
      # https://github.com/hashicorp/terraform-provider-aws/pull/40562
      version = "5.81.0"
    }
  }
}

[DrStrangepork]

AWS Key Management Service documentation, Creating a key policy, Key policy format:

A key policy document must conform to the following rules:

• Up to 32 kilobytes (32,768 bytes)
• The Sid element in a key policy statement can include spaces. (Spaces are prohibited in the Sid element of an IAM policy document.)

KMS policy Sids can include spaces, and there are dozens of examples of KMS policy Sids with spaces throughout AWS documentation.