Exclusive management of inline & managed policies for IAM users

YakDriver commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Descends from #4426

Description

Add feature to revert out-of-band changes to attached (managed) and inline policies associated with an IAM user.

New or Affected Resource(s)

aws_iam_user

Potential Terraform Configuration

resource "aws_iam_user" "example" {
  name          = "yak_user"
  inline_policy = []
}

resource "aws_iam_user" "example" {
  name = "yak_user"

  inline_policy {
    name = "my_inline_policy"

    policy = <<EOF
{
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}
EOF
  }

  inline_policy {
    name   = "policy-8675309"
    policy = data.aws_iam_policy_document.inline_policy.json
  }
}

resource "aws_iam_user" "example" {
  name                = "yak_user"
  managed_policy_arns = [aws_iam_policy.policy_one.arn, aws_iam_policy.policy_two.arn]
}

References

4426
5904
17510
17511

ChaseFreeman17 commented 2 years ago

I would love to see this prioritized higher, until this is implemented drift will not show when managed policies or inline policies are attached to a IAM User outside of Terraform.

Basically if we see "aws_iam_user_policy_attachment" resource block we consider that as risk to our IaC as it will not drift properly.

I think the implementation of https://github.com/hashicorp/terraform-provider-aws/issues/17510 is exactly what is needed for users.

github-actions[bot] commented 2 weeks ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

lorengordon commented 2 weeks ago

Not stale, still highly desired

hashicorp / terraform-provider-aws