Cannot reference module.<name>.topic_arn inside aws_iam_policy_document as value for topic_policy

[meathead23]

Description

When creating a totally custom SNS policy using a terraform aws_iam_policy_document as the topic_policy value, terraform throws a Error: Cycle Error if the module output of the module the policy is being attached to is referenced in the SNS topics policy.

The policy works fine if I remove the module reference and hardcode the ARN, however since this behaviour works in other Terraform modules for example https://github.com/terraform-aws-modules/terraform-aws-s3-bucket I figured it would work in this one

Versions

• Module version [Required]: 6.0.1

• Terraform version: v1.5.7

• Provider version(s):
  • registry.terraform.io/hashicorp/aws v5.43.0

Reproduction Code [Required]

data "aws_iam_policy_document" "sns_policy" {

  statement {
    sid       = "sub"
    effect    = "Allow"
    resources = [
      "${module.sns.topic_arn}/*",
    ]

    actions = [
      "sns:Subscribe"
    ]
    principals {
      type        = "AWS"
      identifiers = ["*"]

    }
  }
}

module "sns" {

  source = "terraform-aws-modules/sns/aws"

  name = "bug-report-sns-topic"

  create_topic_policy     = false
  topic_policy            = data.aws_iam_policy_document.sns_policy.json
}

Steps to reproduce the behaviour:

1. run terraform init
2. run terraform validate

Expected behavior

The validation should pass with no errors.

Actual behavior

The validation fails with the following error:

╷
│ Error: Cycle: module.sns.output.topic_arn (expand), data.aws_iam_policy_document.sns_policy, module.sns.var.topic_policy (expand), module.sns.aws_sns_topic.this
│ 
│ 
╵

Terminal Output Screenshot(s)

Additional context

I've done similar things with terraform modules for example https://github.com/terraform-aws-modules/terraform-aws-s3-bucket where doing the following:

data "aws_iam_policy_document" "bucket_policy" {

  statement {
    sid    = "AllowReadWriteAccess"
    effect = "Allow"
    resources = [
      module.s3.s3_bucket_arn,
      "${module.s3.s3_bucket_arn}/*"
    ]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions = [
      "s3:List*",
      "s3:Get*",
      "s3:DeleteObject"
    ]
  }
}



module "s3" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket        = "s3-bucket"
  attach_policy = true
  policy        = data.aws_iam_policy_document.bucket_policy.json

}

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[bryantbiggs]

you don't need to, we've already done that for you to avoid this exact situation. Just remove the resource = [...] that you have shown above and it should work

terraform-aws-sns/main.tf

Line 99 in 501f39c

resources = try(statement.value.resources, [aws_sns_topic.this[0].arn])

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.