altaurog
commented
1 month ago There is a warning in the documentation that drift detection is not supported for AWS::IAM::Policy. However, there is no similar warning in the docs for AWS::IAM::ManagedPolicy.
Name of the resource
AWS::IAM::ManagedPolicy
Resource Name
No response
Issue Description
Drift detection on a stack with AWS::IAM::ManagedPolicy resource reports back as "IN_SYNC" even when there is drift between the actual resource and template specification for the PolicyDocument property.
Expected:
{ "Path": "/", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:CreateDBInstance", "rds:CreateDBClusterParameterGroup" ], "Resource": "arn:aws:rds:region:account-no:db:test*", "Effect": "Allow", "Sid": "Statement1" } ] }, "Description": "Policy for creating a test database" }Actual:
{ "Path": "/", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:CreateDBInstance" ], "Resource": "arn:aws:rds:region:account-no:db:test*", "Effect": "Allow", "Sid": "Statement1" } ] }, "Description": "Policy for creating a test database" }Expected Behavior
If there is a difference in the policy document json between actual resource and template specification, the resource should report as modified when performing drift detection.
Observed Behavior
Resource reports as "IN_SYNC" even when there is drift between the actual resource and template specification for the PolicyDocument property.
Test Cases
Create a Cloudformation stack to provision a ManagedPolicy resource. Resources:
Once the stack is created, Manually modify the managed policy physical resource - you can change any part(s) of the policy. eg: remove "'rds:CreateDBClusterParameterGroup'" from policy document.
Trigger drift detection on stack, the resource will report as "IN_SYNC" check the drift details and we can observe difference in Actual and Expected properties.
Other Details
No response