Sorry to trouble everyone again, but have inherited some TF scripts and need to make an amendment and at a loss as to what is going on.
An AWS policy document is declared, with a fixed set of permissions:
data "aws_iam_policy_document" "sqs_task_policy" {
dynamic "statement" {
for_each = var.queues
content {
actions = [
"sqs:SendMessage",
"sqs:ReceiveMessage"
]
effect = "Allow"
resources = [
"arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${join("_", [var.name, statement.value["name"], statement.value["purpose"]])}"
]
}
}
}
The variable queue is declared from a local variable in the calling module (and includes a number of SQS queue names), i.e. queue = local.sqs_queues
:
sqs_queues = {
create_company_check_sqs = {
name = "create_company_check_queue"
purpose = "start"
}
}
create_person_check_sqs = {
name = "create_person_check_queue"
purpose = "start"
}
}
All is working fine at this point, but some of the queues now need to have additional permissions. I set the local variable to:
sqs_queues = {
create_company_check_sqs = {
name = "create_company_check_queue"
purpose = "start"
permissions = ["sqs:SendMessage", "sqs:ReceiveMessage"]
}
create_person_check_sqs = {
name = "create_person_check_queue"
purpose = "start"
permissions = ["sqs:SendMessage", "sqs:ReceiveMessage"]
}
}
Updated the data declaration to include:
actions = statement.value["permissions"]
This works perfectly well in my sandbox/test AWS account, but have issues reported in QA account:
╷
│ Error: Invalid index
│
│ on modules/services/sqs/data.tf line 23, in data "aws_iam_policy_document" "sqs_task_policy":
│ 23: actions = statement.value["permissions"]
│ ├────────────────
│ │ statement.value is object with 2 attributes
│
│ The given key does not identify an element in this collection value.
I’ve not been able to work out exactly what’s wrong, or what the correct syntax is to get this to work in the QA account.
Any help would be gratefully received.