Search code examples
gitlabterraformminio

Terraform plan showing changes that already apply

I have a pipeline that create users in rabbitmq, minio, keycloak, and others applications using terraform, but in Minio i have a problem that is: I run terraform in first time, the pipeline creates bucket, policy and user (so far, so good), but when i run other times, terraform plan show changes that don't exist, becouse i already run pipeline and don't have any changes, as the image show:

enter image description here

Below my terraform code for Minio:

    # Create a bucket.
resource "minio_bucket" "bucket" {
  name = var.namespace
}

resource "minio_user" "user1" {
  access_key = var.namespace
  secret_key = var.password
  policies = [
    minio_canned_policy.policy1.name
    # Note: using a data source here!
    #data.minio_canned_policy.console_admin.name,
  ]
  /*groups = [
    minio_group.group2.name,
  ]*/
  depends_on = [
    minio_canned_policy.policy1,
  ]
}

# Create a policy.
resource "minio_canned_policy" "policy1" {
  name   = "policy1"
  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::${minio_bucket.bucket.name}*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::${minio_bucket.bucket.name}"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": ["arn:aws:s3:::${minio_bucket.bucket.name}/*"]
        }
    ]
}
EOT
}

In rabbitmq, keycloak, for example, all things works fine.

Someone have any idea to resolve this?

Thanks!!

Solution

  • the solution was create a action to each resource:

    resource "minio_canned_policy" "policy" {
  name = "policy"
  policy = jsonencode(
    {
      Statement = [
        {
          Action = [
            "s3:GetBucketLocation",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}*",
          ]
        },
        {
          Action = [
            "s3:ListAllMyBuckets",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}*",
          ]
        },
        {
          Action = [
            "s3:ListBucket",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}",
          ]
        },
        {
          Action = [
            "s3:GetObject",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}/*",
          ]
        },
        {
          Action = [
            "s3:PutObject",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}/*",
          ]
        },
        {
          Action = [
            "s3:DeleteObject",
          ]
          Effect = "Allow"
          Resource = [
            "arn:aws:s3:::${minio_bucket.bucket.name}/*",
          ]
        },
      ]
      Version = "2012-10-17"
    }
  )
}