[Bug]: Terrafrom plan/apply ignores managed_policy_arns changes in aws_iam_role

[Z4ck404]

Terraform Core Version

1.3.2

AWS Provider Version

5.57.0

Affected Resource(s)

aws_iam_role

Expected Behavior

When applying updates to the aws_iam_role resource in Terraform, specifically changes to the managed_policy_arns attribute, the expected behavior is that Terraform should detect any modifications to the list of ARNs and apply these changes accordingly to the IAM role in AWS.

resource "aws_iam_role" "example_role" {
  name                 = "example-role"
  max_session_duration = 12 * 3600
  assume_role_policy   = data.aws_iam_policy_document.example_assume_role_policy.json

  managed_policy_arns = [
    "arn:aws:iam::${local.account_id}:policy/example-policy-1",
    "arn:aws:iam::${local.account_id}:policy/example-policy-2",
    "arn:aws:iam::${local.account_id}:policy/example-policy-3"
  ]
}

When the managed_policy_arns list is updated in the Terraform configuration file, running terraform apply should detect the changes and update the IAM role's attached managed policies to reflect the new configuration.

Actual Behavior

Terraform's apply operation does not detect changes made to the managed_policy_arns attribute. As a result, the IAM role in AWS does not get updated with the new set of managed policy ARNs, leading to a state drift between the Terraform state and the actual IAM role configuration in AWS.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

resource "aws_iam_role" "example_role" {
  name                 = "example-role"
  max_session_duration = 12 * 3600
  assume_role_policy   = data.aws_iam_policy_document.example_assume_role_policy.json

  managed_policy_arns = [
    "arn:aws:iam::${local.account_id}:policy/example-policy-1",
    "arn:aws:iam::${local.account_id}:policy/example-policy-2",
    "arn:aws:iam::${local.account_id}:policy/example-policy-3"
  ]
}

update the managed_policy_arns and you will get the same plan.

Steps to Reproduce

- Define an aws_iam_role resource with a set of managed_policy_arns.
- Apply the configuration using terraform apply.
- Modify the managed_policy_arns list in the Terraform configuration file.
- Run terraform apply/plan again.
- Observe that the IAM role in AWS does not reflect the changes to the managed_policy_arns.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.