search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.87k stars 9.21k forks source link

[Bug]: Terrafrom plan/apply ignores managed_policy_arns changes in aws_iam_role #38287

Open Z4ck404 opened 4 months ago

Z4ck404 commented 4 months ago

Terraform Core Version

1.3.2

AWS Provider Version

5.57.0

Affected Resource(s)

aws_iam_role

Expected Behavior

When applying updates to the aws_iam_role resource in Terraform, specifically changes to the managed_policy_arns attribute, the expected behavior is that Terraform should detect any modifications to the list of ARNs and apply these changes accordingly to the IAM role in AWS.

resource "aws_iam_role" "example_role" {
  name                 = "example-role"
  max_session_duration = 12 * 3600
  assume_role_policy   = data.aws_iam_policy_document.example_assume_role_policy.json

  managed_policy_arns = [
    "arn:aws:iam::${local.account_id}:policy/example-policy-1",
    "arn:aws:iam::${local.account_id}:policy/example-policy-2",
    "arn:aws:iam::${local.account_id}:policy/example-policy-3"
  ]
}

When the managed_policy_arns list is updated in the Terraform configuration file, running terraform apply should detect the changes and update the IAM role's attached managed policies to reflect the new configuration.

Actual Behavior

Terraform's apply operation does not detect changes made to the managed_policy_arns attribute. As a result, the IAM role in AWS does not get updated with the new set of managed policy ARNs, leading to a state drift between the Terraform state and the actual IAM role configuration in AWS.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

resource "aws_iam_role" "example_role" {
  name                 = "example-role"
  max_session_duration = 12 * 3600
  assume_role_policy   = data.aws_iam_policy_document.example_assume_role_policy.json

  managed_policy_arns = [
    "arn:aws:iam::${local.account_id}:policy/example-policy-1",
    "arn:aws:iam::${local.account_id}:policy/example-policy-2",
    "arn:aws:iam::${local.account_id}:policy/example-policy-3"
  ]
}

update the managed_policy_arns and you will get the same plan.

Steps to Reproduce

- Define an aws_iam_role resource with a set of managed_policy_arns.
- Apply the configuration using terraform apply.
- Modify the managed_policy_arns list in the Terraform configuration file.
- Run terraform apply/plan again.
- Observe that the IAM role in AWS does not reflect the changes to the managed_policy_arns.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 4 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

acwwat commented 4 months ago

@Z4ck404 Please provide the before and after Terraform configurations, so it's clear what changes you are making to the managed_policy_arns argument.

In general, I am not able to reproduce the problem, as adding and removing policies in managed_policy_arns resulted in the appropriate updates. The update logic in the resource code is quite straightforward in detecting and managing the differences for the managed_policy_arns argument.

The only case where it could be an issue is to remove or set to null the managed_policy_arns when it is previously set in the TF configuration. In that case, per the documentation you should set just managed_policy_arns to an empty list to remove all attached IAM managed policies anyway.

Z4ck404 commented 4 months ago

Hey @acwwat,

The only case where it could be an issue is to remove or set to null the managed_policy_arns when it is previously set in the TF configuration.

That's exactly my case, the policies were previously set when I was doing some testing then removed later (I just removed the whole field and didn't set it to null or []).

I missed the description of the attribute where the behavior is mentioned.