terraform-provider-aws: Cannot use SQS `redrive_allow_policy` correctly without creating a cycle
The Example Usage for aws_sqs_queue shows a “source queue” with both a redrive_policy and a redrive_allow_policy set, however as per the AWS docs the “byQueue” redrive_allow_policy belongs on the dead letter queue itself:
The redrive allow policy specifies which source queues can access the dead-letter queue. This policy applies to a potential dead-letter queue.
Since you set a redrive_policy on the source queue which points to a dead letter queue, and a redrive_allow_policy on the dead letter queue restricting which source queues can redrive to it, it is not possible to represent this relationship in Terraform without creating a cycle.
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
$ terraform -v
Terraform v1.1.2
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v3.71.0
Affected Resource(s)
- aws_sqs_queue
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
resource "aws_sqs_queue" "source_queue" {
name = "source_queue"
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.dead_letter_queue.arn
})
}
resource "aws_sqs_queue" "dead_letter_queue" {
name = "dead_letter_queue"
redrive_allow_policy = jsonencode({
redrivePermission = "byQueue"
sourceQueueArns = ["${aws_sqs_queue.source_queue.arn}"]
})
}
Debug Output
https://gist.github.com/davecardwell/236f84642a90536d442cbfc4434f8da1
Panic Output
N/A
Expected Behavior
Success. It should be possible to configure a RedriveAllowPolicy without creating a circular dependency.
Actual Behavior
Error: Cycle: aws_sqs_queue.dead_letter_queue, aws_sqs_queue.source_queue
Steps to Reproduce
terraform validate
Important Factoids
N/A
References
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 94
- Comments: 16
@ewbankkit Please re-open this one as it is currently unsolved. Following the example usage currently version 4.36.1 still generates a circular dependency error per the original post at the start of this thread
I think it would be good to move DLQ redrive to a separate resource, so it can be dependant on normal queue and DLQ and do not create a cycle loop. Also, example in docs of terraform resource would be very helpful
I tested it in version 1.1.7 because I was facing the same problem, and realized that the dead letter sqs queue needs to be implemented first.
You have to create arn string “arn:aws:sqs:region:account_number:mysqsqueue” in the redrive_allow_policy of the sqs dead letter queue. And at the main sqs queue you can point to the dead letter queue using arn attribute. This way the main sqs queue will depend on the sqs dead letter queue (you could also use depends_on, but it is not required in this case).
Facing the same issue, I had to put redrivePermission = “allowAll” in order to make it work, but not satisfaisant
It would be nice if you could directly reference the name from the main queues, as TF can know that before applying.
Hi, I’ve tried the same redrive_policy using Provider(v4.32.0) still get same cycle error.
The solution to prevent circle is to create separate redrive_allow_policy resource as the example in the URL below https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_redrive_allow_policy