aws_iam_role false positive (deep mode)

[sjourdan]

Description

Without changing anything, 0.9.1 doesn't detect a drift, while >=0.10.0 (up to 0.13.0 w/deep mode) does detect one.

Found changed resources:
    - b (aws_iam_role):
        ~ inline_policy.0.name: "" => "policy_a"
        ~ inline_policy.0.policy: "" => "{\"Statement\":[{\"Action\":[\"ec2:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}],\"Version\":\"2012-10-17\"}"

Low prior as it's the experimental deep mode.

Environment

• OS: irrelevant (F34)
• driftctl version: 0.10.0 - 0.13.0-pre (deep)
• terraform version: 1.0.3
• terraform providers versions: aws@3.44.0

How to reproduce

resource "aws_iam_role" "b" {
  name = "b"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}

resource "aws_iam_policy" "b" {
  name        = "b"
  path        = "/"
  description = "bbb"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_role_policy_attachment" "attach-1" {
  role       = aws_iam_role.b.name
  policy_arn = aws_iam_policy.b.arn
}

Possible Solution

@eliecharra says: _theses fields should be ignored since we create a dedicated aws_iam_role_policy resource_

Additional context

[eliecharra]

This is a new field in AWS provider version 3.29.1.

[eliecharra]

We should implement a middleware to expand inline_policy fields in aws_iam_role_policy resource and then delete inline_policy field from the role