After importing an SQS queue with a Dead-Letter Queue (DLQ) into Terraform, Terraform does not detect changes to the redrive_policy (DLQ linkage) if it’s omitted from the code. This happens even though the AWS provider marks redrive_policy as computed, which should enforce drift detection.
This behavior is inconsistent with other AWS resources like DynamoDB’s stream_enabled (which does detect drift when undeclared).
Details
What’s Happening
- Expected Behavior:
Terraform should detect drift forcomputedattributes (likeredrive_policy) and plan to revert them to their default (e.g.,null) if undeclared. - Actual Behavior:
Terraform ignores theredrive_policyentirely if it’s not declared in your code. This leaves the DLQ linkage unmanaged, risking configuration drift.
Example Workflow
- Manually create an SQS queue with a DLQ:
Create DLQ aws sqs create-queue --queue-name my-dlq # Create Source Queue with DLQ linkage
aws sqs create-queue --queue-name my-source-queue \ –attributes ‘{“RedrivePolicy”:“{"deadLetterTargetArn":"arn:aws:sqs:us-east-1:123456789012:my-dlq","maxReceiveCount":"3"}”}’
- Import into Terraform (without declaring
redrive_policy):
resource “aws_sqs_queue” “source_queue” { name = “my-source-queue” }
terraform import aws_sqs_queue.source_queue my-source-queue
- Run
terraform plan:
- Expected: Plan shows
redrive_policy = "..." -> null. - Actual: No changes detected.
Why This Matters
- Silent Configuration Drift: If the
redrive_policyis modified externally, Terraform will not detect it. - Inconsistent Behavior: Unlike DynamoDB
stream_enabled(which detects drift), SQSredrive_policyis left unmanaged.