[Enhancement]: aws_iam_role_policy_attachments_exclusive must warn user of misconfiguration

[vbauchart]

Description

When I mix aws_iam_role_policy_attachments_exclusive resource with any other ressource that manage policy of this role, I get hazardous results, as said in the documentation.

But the documentation is not sufficient. The provider should fail explicitly, or at least have a clear warning to prevent the user to get an inconsistent configuration.

Affected Resource(s) and/or Data Source(s)

• aws_iam_role_policy_attachments_exclusive
• aws_iam_role_policy_attachment

Potential Terraform Configuration

resource "aws_iam_role" "cluster-instance" {
  name = "IAM.ROLE.ECS.CLUSTER-INSTANCE"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = { Service = "ec2.amazonaws.com" }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachments_exclusive" "cluster-instance" {
  role_name = aws_iam_role.cluster-instance.name
  policy_arns = [
    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
  ]
}

resource "aws_iam_role_policy_attachments_exclusive" "cluster-instance2" {
  role_name = aws_iam_role.cluster-instance.name
  policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
  ]
}

resource "aws_iam_role_policy_attachment" "cluster-instance3" {
  role       = aws_iam_role.cluster-instance.name
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
}

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @vbauchart 👋 Thank you for taking the time to raise this! I'm not sure it's possible to achieve what you're referring to here due to the way to that Terraform works at its core. Each resource is independent of one another (aside from implicit/explicit dependencies that help determine the order of operations), so there's no way for Terraform to "know" that it shouldn't allow the configuration. That sort of mechanism would first need to be implemented at the Terraform Core level before the AWS Provider would be able to fail for this sort of misconfiguration.

That said, I'm going to leave this enhancement open for now, in case I've missed some key bit of information, someone else has a different opinion, or in case Terraform Core implements something that would help us to accomplish this. It may be worth opening a feature request in the Terraform Core repository for better visibility.

[vbauchart]

To be honest, I somewhat expected this response. In my opinion, all the new "_exclusive" resources partially violate the core Terraform concepts of idempotency and should simply not be used.