SQS Controller Constant API Calls

[logand22]

Describe the bug

After upgrading from 1.0.12 to 1.1.14, we noticed that the SQS controller is constantly attempting to update Queues.

Relevant Logs:

{
  "level": "info",
  "ts": "2025-08-08T11:36:51.982Z",
  "logger": "ackrt",
  "msg": "desired resource state has changed",
  "kind": "Queue",
  "namespace": "<NAMESPACE>",
  "name": "<NAME>",
  "account": "<ACCOUNT_ID>",
  "role": "",
  "region": "<REGION>",
  "is_adopted": false,
  "generation": 6460,
  "diff": [
    {
      "Path": {
        "Parts": [
          "Spec",
          "Policy"
        ]
      },
      "A": "{\"Statement\":[{\"Action\":[\"sqs:SendMessage\"],\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"<TOPIC_ARN>\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Resource\":\"<QUEUE_ARN>\"}],\"Version\":\"2012-10-17\"}",
      "B": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"<QUEUE_ARN>\",\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"<TOPIC_ARN>\"}}}]}"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "DelaySeconds"
        ]
      },
      "A": null,
      "B": "0"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "KMSDataKeyReusePeriodSeconds"
        ]
      },
      "A": null,
      "B": "300"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "MaximumMessageSize"
        ]
      },
      "A": null,
      "B": "1048576"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "MessageRetentionPeriod"
        ]
      },
      "A": null,
      "B": "345600"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "ReceiveMessageWaitTimeSeconds"
        ]
      },
      "A": null,
      "B": "0"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "SQSManagedSSEEnabled"
        ]
      },
      "A": null,
      "B": "false"
    },
    {
      "Path": {
        "Parts": [
          "Spec",
          "VisibilityTimeout"
        ]
      },
      "A": null,
      "B": "30"
    }
  ]
}

I believe the pertinent diff is the Policy diff which compares an action like:

action: ["sqs:SendMessage"]

to

action: "sqs:SendMessage"

I believe the issue was added in aws-controllers-k8s/sqs-controller@4b7895a.

Steps to reproduce
Create a queue with an action or resource as a string instead of an array of a single string

Expected outcome
I expect SQS to not attempt to make calls to the AWS API when the resources are semantically the same.

Environment

• EKS Version 1.31
• SQS

[github-actions]

Hello @logand22 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[logand22]

Upon further investigation, it also appears that the controller is writing defaults resource in kubernetes. This is causing constant diffs between two controllers since they both keep overwriting the other. This could be separate or related. ~~

Is it expected for the queue controller to overwrite fields that aren't present?

❯ kubectl get <QUEUE_NAME> -o json | jq '.spec'            
{
  "delaySeconds": "0",
  "kmsMasterKeyID": "<KEY_ID>",
  "maximumMessageSize": "1048576",
  "messageRetentionPeriod": "345600",
  "policy": "{\"Statement\":[{\"Action\":[\"sqs:SendMessage\"],\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"<TOPIC_ARN>"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Resource\":\"<QUEUE_ARN>\"}],\"Version\":\"2012-10-17\"}",
  "queueName": "<QUEUE_NAME>",
  "receiveMessageWaitTimeSeconds": "0",
  "redrivePolicy": "{\"deadLetterTargetArn\":\"DLQ_ARN\",\"maxReceiveCount\":10}",
  "visibilityTimeout": "30"
}

~ 
❯ kubectl get queue audit-events-us-west-2 -o json | jq '.spec'
{
  "kmsMasterKeyID": "<KEY_ID>",
  "policy": "{\"Statement\":[{\"Action\":[\"sqs:SendMessage\"],\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"<TOPIC_ARN>"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Resource\":\"<QUEUE_ARN>\"}],\"Version\":\"2012-10-17\"}",
  "queueName": "<QUEUE_NAME>",
  "redrivePolicy": "{\"deadLetterTargetArn\":\"DLQ_ARN\",\"maxReceiveCount\":10}"
}

Two calls within seconds of each other to the same queue resource. The second call being the expected output based on what our internal controller generates.

Workaround could be for us to just set the AWS defaults, however, I wouldn't expect the controller to be trying to set these values.

I'm incorrect on this and the issue with late initialized values is on our end. This was added in aws-controllers-k8s/sqs-controller#60. The original policy comparison issue still stands.