search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.29k stars 9.49k forks source link

aws_iam_policy_attachment : adding a new role causes the others to be removed #20169

Closed dimitriosoodle closed 5 years ago

dimitriosoodle commented 5 years ago

Terraform Version

terraform -v
Terraform v0.12.0

Terraform Configuration Files

I change AzureAdmin to AzureAdminUsers in the following config

rresource "aws_iam_policy_attachment" "AdministratorAccess-policy-attachment" {
    name       = "AdministratorAccess-policy-attachment"
    policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
    groups     = []
    users      = ["blah"]
    roles      = ["Rackspace", "AzureAdminUsers"]
}

Debug Output

Crash Output

Expected Behavior

Role AzureAdmin removed, role AzureAdminUsers added

Actual Behavior

Role AzureAdmin removed, role Rackspace removed, role AzureAdminUsers added. Subsequent runs will delete AzureAdminUsers, add Rackspace, and so on.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy_attachment.AdministratorAccess-policy-attachment will be updated in-place
  ~ resource "aws_iam_policy_attachment" "AdministratorAccess-policy-attachment" {
        id         = "AdministratorAccess-policy-attachment"
        name       = "AdministratorAccess-policy-attachment"
        policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
      ~ roles      = [
          + "AzureAdminUsers",
          - "Rackspace",
          - "AzureAdmin",
        ]
        users      = [
            "blah",
        ]
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

Add/change role to an existing policy attachment with more than 2 roles attached

Additional Context

References

bflad commented 5 years ago

@dimitriosoodle which alpha version of Terraform 0.12 are you using?

apparentlymart commented 5 years ago

If roles there is a TypeSet attribute then this might be the same root cause as #19758, which has subsequently been fixed in a later version of the provider SDK than we used in the alpha builds.

dimitriosoodle commented 5 years ago

Hi,

This was pulled from master on Jan4 with last commit 3e9c51c7268d195c4917fd455742df4fa8fdfe1c pull request https://github.com/hashicorp/terraform/pull/19911

compiled on linux mint 19 with parser from https://github.com/hashicorp/terraform/blob/master/vendor/github.com/hashicorp/hcl/hcl/parser/parser.go golang 1.11.4 from snap

Best regards,

Dimitrios

jbardin commented 5 years ago

Hi @dimitriosoodle,

This should be working in master if you want to test it again. Thanks!

dimitriosoodle commented 5 years ago

Hi,

What is the best build environment for current master? My builds fail:

Cloning into 'terraform'...
GO111MODULE=off go get -u golang.org/x/tools/cmd/stringer
GO111MODULE=off go get -u golang.org/x/tools/cmd/cover
GO111MODULE=off go get -u github.com/golang/mock/mockgen
==> Checking that code complies with gofmt requirements...
GO111MODULE=off go get -u golang.org/x/tools/cmd/stringer
GO111MODULE=off go get -u golang.org/x/tools/cmd/cover
GO111MODULE=off go get -u github.com/golang/mock/mockgen
GOFLAGS=-mod=vendor go generate ./...
2019/03/01 22:11:23 Generated command/internal_plugin_list.go
go: downloading github.com/golang/mock v1.2.0
# go fmt doesn't support -mod=vendor but it still wants to populate the
# module cache with everything in go.mod even though formatting requires
# no dependencies, and so we're disabling modules mode for this right
# now until the "go fmt" behavior is rationalized to either support the
# -mod= argument or _not_ try to install things.
GO111MODULE=off go fmt command/internal_plugin_list.go > /dev/null
go list -mod=vendor ./... | xargs -t -n4 go test  -mod=vendor -timeout=2m -parallel=4
build flag -mod=vendor only valid when using modules
go test -mod=vendor -timeout=2m -parallel=4 
build flag -mod=vendor only valid when using modules
Makefile:35: recipe for target 'test' failed
make: *** [test] Error 123
apparentlymart commented 5 years ago

Hi @dimitriosoodle,

We released Terraform v0.12.0-beta1 yesterday from master, so the change @jbardin was referring to is included in that release, so installing the beta is probably the easiest way at this point.

dimitriosoodle commented 5 years ago

Thank you the beta version with the dev plugin does not suffer from this issue.

mildwonkey commented 5 years ago

Fantastic! I will close this issue. Thanks for the update, @dimitriosoodle!

bkedryna commented 4 years ago

I'm seeing this issue in v0.12.13

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.