[Bug]:

[magzim21]

Terraform Core Version

v1.8.2

AWS Provider Version

5.51.1

Affected Resource(s)

aws_iam_role

Expected Behavior

Replacing works without error "Role with name X already exists"

Actual Behavior

When replacing is in plan, I get Role with name X already exists error. Second apply works correctly. I guess need to implement an "wait" for this resource when replacing.

Relevant Error/Panic Output Snippet

│ Error: creating IAM Role (github-actions-agent-ecr): operation error IAM: CreateRole, https response error StatusCode: 409, RequestID: a452d898-bc00-4acb-a23b-a38e001bce2b, EntityAlreadyExists: Role with name github-actions-agent-ecr already exists.
│
│   with aws_iam_role.shared_services_gha_agent_ecr,
│   on aws-shared-services-iam-gh-oidc.tf line 17, in resource "aws_iam_role" "shared_services_gha_agent_ecr":
│   17: resource "aws_iam_role" "shared_services_gha_agent_ecr" {
│

Terraform Configuration Files

resource "aws_iam_role" "shared_services_gha_agent" { # for future use
  provider = aws.shared-services
  name     = "github-actions-agent"

  inline_policy {
    name = "s3Read"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [
            "s3:ListBuckets"
          ]
          Resource = "*"
        }
      ]
    })
  }

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Federated = aws_iam_openid_connect_provider.github.arn
        }
        Action = "sts:AssumeRoleWithWebIdentity"
        Condition = {
          StringEquals = {
            "token.actions.githubusercontent.com:aud" = tolist(aws_iam_openid_connect_provider.github.client_id_list)[0]
          }
          StringLike = {
            "token.actions.githubusercontent.com:sub" = "repo:${var.organization_name}/terraform:environment:organization" # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws
            # "token.actions.githubusercontent.com:repository_owner" = "codelaw" # TODO / try this
          }
        }
      }
    ]
  })

}

Steps to Reproduce

Apply. Change role name Apply. Get error.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @magzim21 👋 Thank you for taking the time to raise this! Would you mind updating the issue to have a more descriptive title? That helps a lot when we're working through issues.