terraform-provider-aws: aws_sqs_queue_policy - fails on first apply, succeeds on second apply with no changes

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.28

Affected Resource(s)

• aws_sqs_queue_policy

Terraform Configuration Files

resource "aws_sqs_queue_policy" "deadletter_queue" {
  queue_url = aws_sqs_queue.deadletter_queue.id
  policy    = data.aws_iam_policy_document.deadletter_queue.json
}

data "aws_iam_policy_document" "deadletter_queue" {
  statement {
    effect    = "Allow"
    resources = [aws_sqs_queue.deadletter_queue.arn]
    actions = [
      "sqs:ChangeMessageVisibility",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes",
      "sqs:GetQueueUrl",
      "sqs:ListQueueTags",
      "sqs:ReceiveMessage",
      "sqs:SendMessage",
    ]
    principals {
      type        = "AWS"
      identifiers = [var.allowed_arn]
    }
  }

Debug Output

Error: Error updating SQS attributes: InvalidAttributeValue: Invalid value for the parameter Policy.
	status code: 400, request id: 30b6f60c-a403-5af4-8fdb-a178a4dda18f

  on modules/sqs/main.tf line 54, in resource "aws_sqs_queue_policy" "deadletter_queue":
  54: resource "aws_sqs_queue_policy" "deadletter_queue" {

Expected Behavior

Terraform should create the resource on the first apply

Actual Behavior

Terraform fails with the error above, on a re-run with no changes the apply succeeds.

Steps to Reproduce

1. terraform apply
2. terraform fails
3. terraform apply
4. terraform succeeds

Important Factoids

Happens on both CI and local machine