Test case to reproduce odd pulumi/SQS interaction

go.mod

module sqs-repro

go 1.14

require (
	github.com/pulumi/pulumi-aws/sdk/v2 v2.13.1
	github.com/pulumi/pulumi/sdk/v2 v2.9.2
)

main.go

package main

import (
	"encoding/json"
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/config"
	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/sqs"
	"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		role, err := iam.NewRole(ctx, "role", &iam.RoleArgs{
			Name: pulumi.String("role-name"),
			AssumeRolePolicy: pulumi.String(`{
				"Version": "2012-10-17",
				"Statement": [
					{
					"Action": "sts:AssumeRole",
					"Principal": {
						"Service": "ec2.amazonaws.com"
					},
					"Effect": "Allow",
					"Sid": ""
					}
				]
			}`),
		})
		if err != nil {
			return err
		}

		queue, err := createSQSResource(ctx, role.Arn)
		if err != nil {
			return err
		}

		ctx.Export("queue-url", queue.ID())
		return nil
	})
}

func createSQSResource(ctx *pulumi.Context, roleARN pulumi.StringOutput) (*sqs.Queue, error) {
	// We have a chicken-and-egg problem: We need to give sqs.NewQueue a policy
	// dictating access to the queue, but we need the queue's ARN to define the
	// correct policy.
	//
	// So, we compute the ARN for the queue based on its name and use that
	// computed value to create the policy.
	var (
		queueName       = "queue"
		queueARN        = computeQueueARN(ctx, queueName)
		queuePolicyJSON = renderQueuePolicyJSON(queueName, queueARN, roleARN)
	)

	queue, err := sqs.NewQueue(ctx, "queue", &sqs.QueueArgs{
		Name:   pulumi.String(queueName),
		Policy: queuePolicyJSON,

		Tags: pulumi.StringMap{
			"env": pulumi.String("test"),
		},
		DelaySeconds:             pulumi.Int(0),
		MaxMessageSize:           pulumi.Int(1024),
		MessageRetentionSeconds:  pulumi.Int(3600),
		VisibilityTimeoutSeconds: pulumi.Int(900),
	})
	if err != nil {
		return nil, err
	}

	return queue, nil
}

func renderQueuePolicyJSON(queueName string, queueARN string, roleARNOutput pulumi.StringOutput) pulumi.StringOutput {
	return roleARNOutput.ApplyString(func(roleARN string) string {
		var (
			policyID = fmt.Sprintf("queue-policy-%s", queueName)
			stmtID   = fmt.Sprintf("statement/%s", queueName)
		)
		policy, err := json.Marshal(map[string]interface{}{
			"Id": policyID,
			"Statement": []map[string]interface{}{
				{
					"Sid":    stmtID,
					"Effect": "Allow",
					"Principal": map[string]string{
						"AWS": roleARN,
					},
					"Action": []string{
						"sqs:DeleteMessage",
						"sqs:GetQueueUrl",
						"sqs:ListQueues",
						"sqs:ReceiveMessage",
						"sqs:SendMessage",
					},
					"Resource": []string{queueARN},
				},
			},
		})
		if err != nil {
			panic(err)
		}
		return string(policy)
	})
}

func computeQueueARN(ctx *pulumi.Context, queueName string) string {
	caller, err := aws.GetCallerIdentity(ctx)
	if err != nil {
		panic(err)
	}

	return fmt.Sprintf("arn:aws:sqs:%s:%s:%s", config.GetRegion(ctx), caller.AccountId, queueName)
}

Pulumi.test.yaml

config:
  aws:region: us-east-2
  pulumi:template: aws-go

Pulumi.yaml

name: sqs-repro
runtime: go
description: Trying to reproduce a production issue w/ SQS resources