search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.77k stars 9.12k forks source link

[Bug]: Provider produced inconsistent result after apply #34625

Open srslafazan opened 10 months ago

srslafazan commented 10 months ago

Terraform Core Version

1.5.4

AWS Provider Version

5.28.0

Affected Resource(s)

aws_iam_policy_attachment

Expected Behavior

Should create attach policy resources in a consistent way, every apply.

Actual Behavior

Fails from inconsistent apply with same source config.

Relevant Error/Panic Output Snippet

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ module.roles.module.iam_role.aws_iam_policy_attachment.policy_attach["ecs_role-task_definition_policy"],
│ provider "provider[\"registry.terraform.io/hashicorp/aws\"].apps" produced
│ an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Terraform Configuration Files

variable "policies" { type = map(object({ name = string description = string policies = list(object({ sid = string effect = string actions = list(string) resources = list(string) })) })) }

variable "roles" { type = map(object({ name = string description = string attach_policies = list(string) policy = list(object({ sid = string effect = string actions = list(string) principals = object({ type = string identifiers = string }) })) })) }

variable "tags" { type = any default = {} }

locals { attachement = { for key, role in var.roles : key => role.attach_policies } attach_policy = flatten([ for k in keys(local.attachement) : [for e in local.attachement[k] : { "role" = k, "policy" = e } ]]) }

data "aws_iam_policy_document" "custom_iam_policy" { for_each = var.policies dynamic "statement" { for_each = each.value.policies

content {
  sid       = lookup(statement.value, "sid", null)
  effect    = lookup(statement.value, "effect", null)
  actions   = lookup(statement.value, "actions", null)
  resources = lookup(statement.value, "resources", null)
}

} }

resource "aws_iam_policy" "policy_document" { for_each = var.policies name = each.value.name description = each.value.description policy = data.aws_iam_policy_document.custom_iam_policy[each.key].json tags = var.tags }

data "aws_iam_policy_document" "assume_role_policy" { for_each = var.roles dynamic "statement" { for_each = each.value.policy content { actions = lookup(statement.value, "actions") effect = lookup(statement.value, "effect") sid = lookup(statement.value, "sid")

  dynamic "principals" {
    for_each = lookup(statement.value, "principals", {})
    content {
      type        = lookup(statement.value.principals, "type")
      identifiers = [lookup(statement.value.principals, "identifiers")]
    }
  }
}

} }

resource "aws_iam_role" "role" { for_each = var.roles name = each.value.name description = each.value.description assume_role_policy = data.aws_iam_policy_document.assume_role_policy[each.key].json tags = var.tags }

resource "aws_iam_policy_attachment" "policy_attach" { for_each = { for ap in local.attach_policy : "${ap.role}-${ap.policy}" => ap } name = "${each.value.role}-${each.value.policy}-attachment" roles = [aws_iam_role.role[each.value.role].name] policy_arn = aws_iam_policy.policy_document[each.value.policy].arn }

Steps to Reproduce

Create the policies by terraform apply and you will see the error output.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 10 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

ewbankkit commented 10 months ago

Similar: https://github.com/hashicorp/terraform-provider-aws/issues/34657.