Iam roles names are added as hardcoded into the main.tf

[AhmedMItman]

Description

We have setup a DMS for multiple folders and each folder should deal with different RDS(s) with different DMS endpoints, the first folder apply went successfully as the terrarform create roles in aws with names dms-access-for-endpoint, and dms-cloudwatch-logs-role. while applying the second folder the terraform produced an conflict error that the iam roles are already existing although we're already passing the access_iam_role_name with a value and access_iam_role_use_name_prefix is already equal true

Here the exact error

│ Error: creating IAM Role (dms-access-for-endpoint): operation error IAM: CreateRole, https response error StatusCode: 409, RequestID: f80e800a-673e-4ec2-a7fd-032055c61c73, EntityAlreadyExists: Role with name dms-access-for-endpoint already exists.
│
│   with aws_iam_role.dms_access_for_endpoint[0],
│   on main.tf line 80, in resource "aws_iam_role" "dms_access_for_endpoint":
│   80: resource "aws_iam_role" "dms_access_for_endpoint" {
│
╵
╷
│ Error: creating IAM Role (dms-cloudwatch-logs-role): operation error IAM: CreateRole, https response error StatusCode: 409, RequestID: bd90c51c-6e63-4b75-9de2-7f180b963c69, EntityAlreadyExists: Role with name dms-cloudwatch-logs-role already exists.
│
│   with aws_iam_role.dms_cloudwatch_logs_role[0],
│   on main.tf line 94, in resource "aws_iam_role" "dms_cloudwatch_logs_role":
│   94: resource "aws_iam_role" "dms_cloudwatch_logs_role" {
│
╵
╷
│ Error: creating IAM Role (dms-vpc-role): operation error IAM: CreateRole, https response error StatusCode: 409, RequestID: 5955f20d-a5b3-459c-9fbf-cc9234213fc9, EntityAlreadyExists: Role with name dms-vpc-role already exists.

What is expected

We expected that the IAM Roles should be differ once we're already passing the required inputs such like access_iam_role_name and access_iam_role_use_name_prefix

Steps to reproduce the behavior

We've found that the names are adding as hardcoded and the prefix is not working such like it shows in the below block

resource "aws_iam_role" "dms_access_for_endpoint" {
  count = var.create && var.create_iam_roles ? 1 : 0

  name                  = "dms-access-for-endpoint"
  description           = "DMS IAM role for endpoint access permissions"
  permissions_boundary  = var.iam_role_permissions_boundary
  assume_role_policy    = data.aws_iam_policy_document.dms_assume_role[0].json
  managed_policy_arns   = ["arn:${local.partition}:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"]
  force_detach_policies = true

  # https://github.com/hashicorp/terraform-provider-aws/issues/11025#issuecomment-660059684
  provisioner "local-exec" {
    command = "sleep 10"
  }

  tags = merge(var.tags, var.iam_role_tags)
}

# DMS CloudWatch Logs
resource "aws_iam_role" "dms_cloudwatch_logs_role" {
  count = var.create && var.create_iam_roles ? 1 : 0

  name                  = "dms-cloudwatch-logs-role"
  description           = "DMS IAM role for CloudWatch logs permissions"
  permissions_boundary  = var.iam_role_permissions_boundary
  assume_role_policy    = data.aws_iam_policy_document.dms_assume_role[0].json
  managed_policy_arns   = ["arn:${local.partition}:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"]
  force_detach_policies = true

  # https://github.com/hashicorp/terraform-provider-aws/issues/11025#issuecomment-660059684
  provisioner "local-exec" {
    command = "sleep 10"
  }

  tags = merge(var.tags, var.iam_role_tags)
}

Don't we need to keep the names in the resources to be variable ?

[bryantbiggs]

I would suggest reading through the docs https://docs.aws.amazon.com/dms/latest/userguide/security-iam.html#CHAP_Security.APIRole

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.