search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.29k stars 9.48k forks source link

aws_iam_instance_profile - diffs didn't match during apply #7590

Closed aboutte closed 7 years ago

aboutte commented 8 years ago

Terraform Version

0.6.16

Affected Resource(s)

Please list the resources as a list, for example:

main.tf 

provider "aws" {
  region = "us-west-2"
}

resource "template_file" "ec2-assumerole" {
  template = "${file("${path.module}/templates/assume_role_policy.json.tpl")}"
  vars {
    aws_service = "ec2.amazonaws.com"
  }
}

resource "template_file" "radar-iam-access" {
  template = "${file("${path.module}/templates/iam-access.json.tpl")}"
  vars {
    region = "us-west-2"
    }
}

resource "aws_iam_role" "radar-iam-role" {
  name = "radar-iam-role-${uuid()}"
  assume_role_policy = "${template_file.ec2-assumerole.rendered}"
}

resource "aws_iam_role_policy" "radar-iam-policy" {
  name = "radar-iam-policy"
  role = "${aws_iam_role.radar-iam-role.id}"
  policy = "${template_file.radar-iam-access.rendered}"
}

resource "aws_iam_instance_profile" "radar-iam-instance-profile" {
  name = "radar-iam-instance-profile-${uuid()}"
  roles = ["${aws_iam_role.radar-iam-role.name}"]
}

assume_role_policy.json.tpl

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "${aws_service}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

iam-access.json.tpl

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::nws-cft/*",
        "arn:aws:s3:::us-west-2-411815166437-secrets/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "logs:*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cloudformation:DescribeStacks"
      ],
      "Resource": "arn:aws:cloudformation:*:485163870539:stack/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData",
        "ec2:DescribeTags"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ec2:DescribeTags"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Debug Output

Error applying plan:

1 error(s) occurred:

* aws_iam_instance_profile.radar-iam-instance-profile: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

    Terraform Version: 0.6.16
    Resource ID: aws_iam_instance_profile.radar-iam-instance-profile
    Mismatch reason: attribute mismatch: roles.630858250
    Diff One (usually from plan): *terraform.InstanceDiff{Attributes:map[string]*terraform.ResourceAttrDiff{"create_date":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "unique_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"radar-iam-instance-profile-4296c65b-ccb1-6c3e-f58d-724f3d994ca4", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "path":*terraform.ResourceAttrDiff{Old:"", New:"/", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "roles.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "roles.630858250":*terraform.ResourceAttrDiff{Old:"", New:"radar-iam-role-74186501-7ff2-54eb-fb48-d97b3053daf2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}}, Destroy:false, DestroyTainted:false}
    Diff Two (usually from apply): *terraform.InstanceDiff{Attributes:map[string]*terraform.ResourceAttrDiff{"arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "create_date":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "unique_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"radar-iam-instance-profile-2044e102-5e45-8293-ed86-f5887c6a7c01", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "path":*terraform.ResourceAttrDiff{Old:"", New:"/", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Type:0x0}, "roles.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}, "roles.1182400066":*terraform.ResourceAttrDiff{Old:"", New:"radar-iam-role-4d2a7bd6-ef4c-1f12-3e0d-773668128721", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Type:0x0}}, Destroy:false, DestroyTainted:false}

Expected Behavior

I was expecting terraform to create me an IAM role with a unique name and with a prefix of radar-iam-role. I would like multiple users to be able to use this snippet of code and not have resource name collisions. I know I can name space these resources with things like ${environment}, ${application}, ${username} but was hoping to use uuid so I didn't have to think about it.

Actual Behavior

Error shown above.

Steps to Reproduce

  1. terraform apply
mitchellh commented 7 years ago

Hello! This should be fixed in later versions of Terraform (0.7.11 at time of writing).

Its hard to know 100% for a couple reasons:

Please try again! If the issue persists please just open a new issue. Thanks!

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.