leftover module module.iam_user in state that should have been removed; this is a bug in Terraform and should be reported

mmshaikh88 commented 4 years ago

Terraform Version

Terraform v0.12.19
+ provider.aws v2.44.0

Terraform Configuration Files


main.tf:
-------
provider "aws" {
  region  = var.region
  version = "~> 2.20"
}

terraform {
  backend "s3" {
    bucket = "bucket-location"
    region = "us-west-2"
  }
}

# Not all of these are used yet
locals {
  env_orig         = var.environment
  env_short        = substr(local.env_orig, 0, min(length(local.env_orig), 5))
  name_prefix      = "${var.service}-${local.env_short}-${var.ver}"
  tesv_name_prefix = "${var.team}-${local.env_short}-${var.service}-${var.ver}"
  esv_name_prefix  = "${local.env_short}-${var.service}-${var.ver}"
  common_tags = {
    team        = var.team
    environment = var.environment
    service     = var.service
    version     = var.ver
    Terraform   = "true"
  }
}

data "aws_caller_identity" "current" {
}

output "account_id" {
  value = data.aws_caller_identity.current.account_id
}

output "caller_arn" {
  value = data.aws_caller_identity.current.arn
}

output "caller_user" {
  value = data.aws_caller_identity.current.user_id
}

group-users.tf:
---------------
resource "aws_iam_group" "users" {
  name = "users"
}

resource "aws_iam_policy" "dev_poweruser" {
  name        = "dev_poweruser"
  path        = "/"
  description = "signing dev_poweruser policy."

  policy = file("policy-json-files/managed/dev-poweruser.json")
}

resource "aws_iam_policy" "list_own_user_policy" {
  name        = "list_own_user_policy"
  path        = "/"
  description = " Allow user to list user policy for their own user "

  policy = file("policy-json-files/managed/list-own-user-policy.json")
}

resource "aws_iam_policy" "manage_own_account_with_MFA" {
  name        = "manage_own_account_with_MFA"
  path        = "/"
  description = " Allows user to manage own account provided they are using MFA "

  policy = file("policy-json-files/managed/manage-own-account-with-MFA.json")
}

resource "aws_iam_policy" "manage_own_password" {
  name        = "manage_own_password"
  path        = "/"
  description = " Customer manage own password "

  policy = file("policy-json-files/managed/manage-own-password.json")
}

resource "aws_iam_policy" "Force_MFA" {
  name        = "Force_MFA"
  path        = "/"
  description = " This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA "

  policy = file("policy-json-files/managed/Force_MFA.json")
}

resource "aws_iam_group_policy_attachment" "PowerUserAccess_users" {
  group      = aws_iam_group.users.name
  policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}

resource "aws_iam_group_policy_attachment" "dev_poweruser_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.dev_poweruser.arn
}

resource "aws_iam_group_policy_attachment" "list_own_user_policy_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.list_own_user_policy.arn
}

resource "aws_iam_group_policy_attachment" "manage_own_account_with_MFA_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.manage_own_account_with_MFA.arn
}

resource "aws_iam_group_policy_attachment" "manage_own_password_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.manage_own_password.arn
}

resource "aws_iam_group_policy_attachment" "Force_MFA_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.Force_MFA.arn
}

group-engops-admin.tf:
-------------------------
resource "aws_iam_group" "engops_admin" {
  name = "EngOps_Admin"
}

resource "aws_iam_group_policy_attachment" "AdministratorAccess" {
  group      = aws_iam_group.engops_admin.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

test_user.tf:
------------
#########################################
# IAM user, login profile and access key
#########################################

variable "admin_user_test_user" {
  description = "admin user flag"
  default = "true"
}

module "iam_user_test_user" {
  source = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "~> 2.0"

  name = "test.user"
  force_destroy = true

  # User has uploaded his public key here - https://keybase.io/test/pgp_keys.asc
  pgp_key = "keybase:mscradlepoint"

  password_reset_required = false

  # SSH public key
  upload_iam_user_ssh_key = false
  # ssh_public_key = ""
}

resource "aws_iam_user_group_membership" "test_user_user" {
  user = module.iam_user_test_user.this_iam_user_name

  groups = [aws_iam_group.users.name,
          ]
}

resource "aws_iam_user_group_membership" "test_user_engops_admin" {
  user = module.iam_user_test_user.this_iam_user_name

  count = var.admin_user_test_user == "true" ? 1 : 0
  groups = [aws_iam_group.engops_admin.name,
          ]
}

Debug Output

Crash Output

Error: leftover module module.iam_user_test_user in state that should have been removed; this is a bug in Terraform and should be reported

Expected Behavior

The resource should have been removed once we have removed the user tf file.

Actual Behavior

Getting error

Steps to Reproduce

Initially using terraform 0.12.13 without any error. Download terraform 0.12.19 and set as default tf. terraform init terraform 0.12upgrade terraform validate generate test_user.tf file terraform init terraform plan terraform apply Remove test_user.tf file terraform plan terraform apply

Additional Context

References

https://github.com/terraform-aws-modules/terraform-aws-iam

hashibot commented 4 years ago

Duplicate of #23821

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform