Getting " IAM policy missing action sqs:ReceiveMessage" error from L4 terraform task

jishnu.prasad4 · December 29, 2025, 2:07pm

I am trying to complete this task(Implementing Local Variables Using Terraform). But I am always getting the mentioned error. Below is the part of state file which showing the permission is there.

{
      "mode": "managed",
      "type": "aws_iam_role",
      "name": "main",
      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "arn": "arn:aws:iam::000000000000:role/devops-dev-role",
            "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
            "create_date": "2025-12-29T10:13:46Z",
            "description": "",
            "force_detach_policies": false,
            "id": "devops-dev-role",
            "inline_policy": [
              {
                "name": "role_policy",
                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"sqs:ReceiveMessage\",\"dynamodb:PutItem\",\"sns:Publish\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
              }
            ],
            "managed_policy_arns": [],
            "max_session_duration": 3600,
            "name": "devops-dev-role",
            "name_prefix": "",
            "path": "/",
            "permissions_boundary": "",
            "tags": {
              "Environment": "dev",
              "Owner": "devops",
              "Project": "devops",
              "Team": "xfusion"
            },
            "tags_all": {
              "Environment": "dev",
              "Owner": "devops",
              "Project": "devops",
              "Team": "xfusion"
            },
            "unique_id": "AROAQAAAAAAAGUKVV244W"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }

Anyone help me identify the issue? Sharing the tf code FYI:

## variable.tf
variable "KKE_AWS_REGION" {
    type = string
    validation {
        condition = var.KKE_AWS_REGION == "us-east-1"
        error_message = "Only us-east-1 region is allowed"
    }
}

variable "KKE_QUEUE_DEPTH_THRESHOLD" {
    type = number
    default = 50
    validation {
        condition = var.KKE_QUEUE_DEPTH_THRESHOLD >= 1 && var.KKE_QUEUE_DEPTH_THRESHOLD <= 1000
        error_message = "SNS queue thread should be between 1 and 1000"        
    }
}

variable "KKE_IAM_ACTIONS" {
    type = list(string)
}

## tfvars
KKE_AWS_REGION = "us-east-1"
KKE_IAM_ACTIONS = ["sqs:ReceiveMessage", "dynamodb:PutItem", "sns:Publish"]

## Part of main.tf
resource "aws_iam_role" "main" {
  name = "${local.common_name}-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
        {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })

  tags = local.default_tags
}

resource "aws_iam_role_policy" "main" {
  name = "role_policy"
  role = aws_iam_role.main.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = var.KKE_IAM_ACTIONS
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

Mederbek · December 30, 2025, 6:41pm

use inline:

resource "aws_iam_role_policy" "inline_policy" {
  name = "${local.common_name}-policy"
  role = aws_iam_role.iam_role.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      for action in var.KKE_IAM_ACTIONS : {
        Effect   = "Allow"
        Action   = action
        Resource = "*"
      }
    ]
  })

hint

jishnu.prasad4 · January 5, 2026, 5:36am

Thanks I will try this. But does this mean, my tf code is wrong? I mean AFAIK, whatever I have tried should also work right?