Open the-smooth-operator opened 4 years ago
My issue is similar, but I don't get an error.
Instead, it appears to be successful, but then when I come to plan, it still wants to create rather than update.
% terraform import aws_iam_role_policy.codepipeline_policy AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx
aws_iam_role_policy.codepipeline_policy: Importing from ID "AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx"...
aws_iam_role_policy.codepipeline_policy: Import prepared!
Prepared aws_iam_role_policy for import
aws_iam_role_policy.codepipeline_policy: Refreshing state... [id=AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
Like the above, I can't help but think that this issue is somewhat related to the "Path": "/service-role/".
Also, it seemed like it doesn't matter what you put as the ID param it would always return a success message.
Edit: Having updated terraform, I am now getting the same error as above. I also came across this issue which seems to be similar and unresolved. https://github.com/hashicorp/terraform/issues/19936
Hey y'all :wave: Thank you for taking the time to file this issue and for the additional discussion! Given that there's been a number of Terraform and AWS provider releases since the last update, can anyone confirm whether you're still experiencing this behavior?
I am still encountering this issue (version 4.31.0)
I'm still seeing this issue...
% sh import.sh aws_iam_role_policy.codepipeline_policy AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx
data.aws_s3_bucket.codepipeline_bucket: Reading...
data.aws_region.current: Reading...
data.aws_iam_role.beanstalk_ec2: Reading...
data.aws_caller_identity.current: Reading...
data.aws_region.current: Read complete after 0s [id=eu-west-1]
data.aws_iam_role.beanstalk_service_role: Reading...
aws_iam_role_policy.codepipeline_policy: Importing from ID "AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx"...
aws_iam_role_policy.codepipeline_policy: Import prepared!
Prepared aws_iam_role_policy for import
aws_iam_role_policy.codepipeline_policy: Refreshing state... [id=AWSCodePipelineServiceRole-eu-west-1-xxx:AWSCodePipelineServiceRole-eu-west-1-xxx]
data.aws_s3_bucket.codepipeline_bucket: Read complete after 0s [id=codepipeline-eu-west-1-123456789]
data.aws_caller_identity.current: Read complete after 1s [id=123456789]
data.aws_s3_bucket.eb_bucket: Reading...
data.aws_iam_role.beanstalk_ec2: Read complete after 1s [id=aws-elasticbeanstalk-ec2-role]
data.aws_iam_role.beanstalk_service_role: Read complete after 1s [id=aws-elasticbeanstalk-service-role]
data.aws_s3_bucket.eb_bucket: Read complete after 0s [id=elasticbeanstalk-eu-west-1-123456789]
╷
│ Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to "aws_iam_role_policy.codepipeline_policy", the provider detected that no object exists with the given id. Only pre-existing objects can be imported;
│ check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵
I know the role exists:
% aws iam list-attached-role-policies --role-name AWSCodePipelineServiceRole-eu-west-1-xxx
{
"AttachedPolicies": [
{
"PolicyName": "AWSCodePipelineServiceRole-eu-west-1-xxx",
"PolicyArn": "arn:aws:iam::123456789:policy/service-role/AWSCodePipelineServiceRole-eu-west-1-xxx"
}
]
}
If you miss a parameter from the import, you get the error:
Error: role_policy id must be of the form <role name>:<policy name>
or, if you include a path you get:
The specified value for policyName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
Can confirm this is still an issue in aws provider 4.52.0
can confirm that too (using 4.60.0)
i am still getting the above issue with provider (4.61.0)..do anyone found solution?
Any update on this issue?
Just a heads up, it may be that you're trying to import a managed policy as an inline policy. Instead of attempting import into a aws_iam_role_policy
, if you have a managed policy you instead need to import the policy as aws_iam_policy
and add a aws_iam_role_policy_attachment
.
This is likely the issues faced by @the-smooth-operator, and definitely the problem faced by @jpswade, as the list-attached-role-policies
command specifically:
Lists all managed policies that are attached to the specified IAM role.
An IAM role can also have inline policies embedded with it. To list the inline policies for a role, use ListRolePolicies...
From the aws_role_policy section of the provider docs:
NOTE:
For a given role, this resource is incompatible with using the aws_iam_role resource inline_policy argument. When using that argument and this resource, both will attempt to manage the role's inline policies and Terraform will show a permanent difference.
I hit this issue today while importing terraformer
generated terraform code, before re-reading the docs and figuring out that terraformer
is duplicating the aws_role.$ROLE.inline_policy
into an aws_role_policy
as well.
Community Note
Terraform Version
Terraform v0.11.14
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/The-smooth-operator/2bd93ac34e504cf4d1c32e92475a393c
Expected Behavior
aws_iam_role_policy.allow_fetch_cloudwatch_metrics: Import complete!
Actual Behavior
Steps to Reproduce
terraform import aws_iam_role_policy.allow_fetch_cloudwatch_metrics cloudwatch_fetch_metrics:allow_fetch_cloudwatch_metrics
Important Factoids