import aws_iam_role_police doesn't work

[the-smooth-operator]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.14

Affected Resource(s)

• aws_iam_role_policy

Terraform Configuration Files

resource "aws_iam_role" "cloudwatch_fetch_metrics" {
  name               = "cloudwatch_fetch_metrics"
  path               = "/itsre/"
  assume_role_policy = "${data.aws_iam_policy_document.allow_assume_role.json}"
}

data "aws_iam_policy_document" "allow_assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::*******:root"]
    }
  }
}

resource "aws_iam_role_policy" "allow_fetch_cloudwatch_metrics" {
  name   = "allow_fetch_cloudwatch_metrics"
  role   = "${aws_iam_role.cloudwatch_fetch_metrics.id}"
  policy = "${data.aws_iam_policy_document.allow_fetch_cloudwatch_metrics.json}"
}

data "aws_iam_policy_document" "allow_fetch_cloudwatch_metrics" {
  statement {
    actions = [
      "cloudwatch:Describe*",
      "cloudwatch:GetMetricData",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
    ]

    effect    = "Allow"
    resources = ["*"]
  }
}
/hashicorp

Debug Output

https://gist.github.com/The-smooth-operator/2bd93ac34e504cf4d1c32e92475a393c

Expected Behavior

aws_iam_role_policy.allow_fetch_cloudwatch_metrics: Import complete!

Actual Behavior

Error: aws_iam_role_policy.allow_fetch_cloudwatch_metrics (import id: cloudwatch_fetch_metrics:allow_fetch_cloudwatch_metrics): 1 error occurred:
    * import aws_iam_role_policy.allow_fetch_cloudwatch_metrics result: cloudwatch_fetch_metrics:allow_fetch_cloudwatch_metrics: import aws_iam_role_policy.allow_fetch_cloudwatch_metrics (id: cloudwatch_fetch_metrics:allow_fetch_cloudwatch_metrics): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent resources using Terraform import.

Steps to Reproduce

1. Try importing an existent IAM policyterraform import aws_iam_role_policy.allow_fetch_cloudwatch_metrics cloudwatch_fetch_metrics:allow_fetch_cloudwatch_metrics

Important Factoids

1. The role has a Path (my guess is that the problem is here.)
2. The resource exists:

   % aws iam list-roles | grep cloudwatch_fetch                                                                            
           "RoleName": "cloudwatch_fetch_metrics",
           "Arn": "arn:aws:iam::******:role/itsre/cloudwatch_fetch_metrics",
   % aws iam list-policies | grep cloudwatch_me   
           "PolicyName": "allow_fetch_cloudwatch_metrics",
           "Arn": "arn:aws:iam::*****:policy/allow_fetch_cloudwatch_metrics",

[jpswade]

My issue is similar, but I don't get an error.

Instead, it appears to be successful, but then when I come to plan, it still wants to create rather than update.

% terraform import aws_iam_role_policy.codepipeline_policy AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx
aws_iam_role_policy.codepipeline_policy: Importing from ID "AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx"...
aws_iam_role_policy.codepipeline_policy: Import prepared!
  Prepared aws_iam_role_policy for import
aws_iam_role_policy.codepipeline_policy: Refreshing state... [id=AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Like the above, I can't help but think that this issue is somewhat related to the "Path": "/service-role/".

Also, it seemed like it doesn't matter what you put as the ID param it would always return a success message.

Edit: Having updated terraform, I am now getting the same error as above. I also came across this issue which seems to be similar and unresolved. https://github.com/hashicorp/terraform/issues/19936

[justinretzolk]

Hey y'all :wave: Thank you for taking the time to file this issue and for the additional discussion! Given that there's been a number of Terraform and AWS provider releases since the last update, can anyone confirm whether you're still experiencing this behavior?

[dfreilich]

I am still encountering this issue (version 4.31.0)

[jpswade]

I'm still seeing this issue...

% sh import.sh aws_iam_role_policy.codepipeline_policy AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx 
data.aws_s3_bucket.codepipeline_bucket: Reading...
data.aws_region.current: Reading...
data.aws_iam_role.beanstalk_ec2: Reading...
data.aws_caller_identity.current: Reading...
data.aws_region.current: Read complete after 0s [id=eu-west-1]
data.aws_iam_role.beanstalk_service_role: Reading...
aws_iam_role_policy.codepipeline_policy: Importing from ID "AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx"...
aws_iam_role_policy.codepipeline_policy: Import prepared!
  Prepared aws_iam_role_policy for import
aws_iam_role_policy.codepipeline_policy: Refreshing state... [id=AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx]
data.aws_s3_bucket.codepipeline_bucket: Read complete after 0s [id=codepipeline-eu-west-1-123456789]
data.aws_caller_identity.current: Read complete after 1s [id=123456789]
data.aws_s3_bucket.eb_bucket: Reading...
data.aws_iam_role.beanstalk_ec2: Read complete after 1s [id=aws-elasticbeanstalk-ec2-role]
data.aws_iam_role.beanstalk_service_role: Read complete after 1s [id=aws-elasticbeanstalk-service-role]
data.aws_s3_bucket.eb_bucket: Read complete after 0s [id=elasticbeanstalk-eu-west-1-123456789]
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "aws_iam_role_policy.codepipeline_policy", the provider detected that no object exists with the given id. Only pre-existing objects can be imported;
│ check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

I know the role exists:

% aws iam list-attached-role-policies --role-name AWSCodePipelineServiceRole-eu-west-1-xxx 
{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSCodePipelineServiceRole-eu-west-1-xxx",
            "PolicyArn": "arn:aws:iam::123456789:policy/service-role/AWSCodePipelineServiceRole-eu-west-1-xxx"
        }
    ]
}

If you miss a parameter from the import, you get the error:

Error: role_policy id must be of the form <role name>:<policy name>

or, if you include a path you get:

The specified value for policyName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

[jpke]

Can confirm this is still an issue in aws provider 4.52.0

[aconstantin]

can confirm that too (using 4.60.0)

[muneeshpandi]

i am still getting the above issue with provider (4.61.0)..do anyone found solution?

[aman-adeptmind-1612]

Any update on this issue?

[ChrisLMartin]

Just a heads up, it may be that you're trying to import a managed policy as an inline policy. Instead of attempting import into a aws_iam_role_policy, if you have a managed policy you instead need to import the policy as aws_iam_policy and add a aws_iam_role_policy_attachment.

This is likely the issues faced by @the-smooth-operator, and definitely the problem faced by @jpswade, as the list-attached-role-policies command specifically:

Lists all managed policies that are attached to the specified IAM role.

An IAM role can also have inline policies embedded with it. To list the inline policies for a role, use ListRolePolicies...

[samveen]

From the aws_role_policy section of the provider docs:

NOTE:

For a given role, this resource is incompatible with using the aws_iam_role resource inline_policy argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.

I hit this issue today while importing terraformer generated terraform code, before re-reading the docs and figuring out that terraformer is duplicating the aws_role.$ROLE.inline_policy into an aws_role_policy as well.