Reputation: 93
Terraform plan showing changes that already apply
I have a pipeline that create users in rabbitmq, minio, keycloak, and others applications using terraform, but in Minio i have a problem that is: I run terraform in first time, the pipeline creates bucket, policy and user (so far, so good), but when i run other times, terraform plan show changes that don't exist, becouse i already run pipeline and don't have any changes, as the image show:
Below my terraform code for Minio:
# Create a bucket.
resource "minio_bucket" "bucket" {
name = var.namespace
}
resource "minio_user" "user1" {
access_key = var.namespace
secret_key = var.password
policies = [
minio_canned_policy.policy1.name
# Note: using a data source here!
#data.minio_canned_policy.console_admin.name,
]
/*groups = [
minio_group.group2.name,
]*/
depends_on = [
minio_canned_policy.policy1,
]
}
# Create a policy.
resource "minio_canned_policy" "policy1" {
name = "policy1"
policy = <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::${minio_bucket.bucket.name}*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::${minio_bucket.bucket.name}"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::${minio_bucket.bucket.name}/*"]
}
]
}
EOT
}
In rabbitmq, keycloak, for example, all things works fine.
Someone have any idea to resolve this?
Thanks!!
Upvotes: 2
Views: 1056
Answers (2)
Reputation: 26
the solution was create a action to each resource:
resource "minio_canned_policy" "policy" {
name = "policy"
policy = jsonencode(
{
Statement = [
{
Action = [
"s3:GetBucketLocation",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}*",
]
},
{
Action = [
"s3:ListAllMyBuckets",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}*",
]
},
{
Action = [
"s3:ListBucket",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}",
]
},
{
Action = [
"s3:GetObject",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}/*",
]
},
{
Action = [
"s3:PutObject",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}/*",
]
},
{
Action = [
"s3:DeleteObject",
]
Effect = "Allow"
Resource = [
"arn:aws:s3:::${minio_bucket.bucket.name}/*",
]
},
]
Version = "2012-10-17"
}
)
}
Upvotes: 1
Reputation: 566
Try to use an array as it wants in this place:
- "Resource": "arn:aws:s3:::${minio_bucket.bucket.name}*"
+ "Resource": ["arn:aws:s3:::${minio_bucket.bucket.name}*"]
Maybe the other detected change will go away after that. If not, it would look like a bug in the provider.
Upvotes: 1
Related Questions
- Terraform not apply the changes of my branch
- Terraform plan output shows 2 update in place
- Terraform plan shows changes for CanonicalUser that are already applied
- Terraform Apply has different "plan" than Terraform Plan
- Terraform detects changes when there isn't any
- terraform plan notifies of changes in infrastructure but also saying No changes
- Is there any way to reference to old plan in terraform?
- Gitlab CI: terraform destroy doesn't destroy?
- Terraform doesn't seem to pick up manual changes
- terraform sub-module changes not being recognized in plan or apply