problems with aws_iam_policy_attachment on subsequent applications (v0.6.13-dev)

[hashibot]

This issue was originally opened by @bmurphy1976 as hashicorp/terraform#5646. It was migrated here as part of the provider split. The original body of the issue is below.

---

Now that hashicorp/terraform#5447 is fixed, I'm no longer seeing timeout errors when using aws_iam_policy_attachment, however, I am getting poor behavior when running terraform apply multiple times.

On first apply, everything appears to work as expected and the policy is attached to the role. However, on second and subsequent applications of apply I'm getting 404 errors:

aws_iam_policy_attachment.logcluster01-boot-BootDefault: Modifying...
  roles.#:          "6" => "1"
  roles.2330274987: "cs-testing-boot" => ""
  roles.3234134324: "logcluster01-boot" => "logcluster01-boot"
  roles.421482281:  "jenkinscluster02-boot" => ""
  roles.558085875:  "sandbox-boot" => ""
  roles.672936668:  "appcluster03-boot" => ""
  roles.706674977:  "etcdcluster01-boot" => ""
aws_iam_policy_attachment.sandbox-boot-BootDefault: Modifying...
  roles.#:          "6" => "1"
  roles.2330274987: "cs-testing-boot" => ""
  roles.3234134324: "logcluster01-boot" => ""
  roles.421482281:  "jenkinscluster02-boot" => ""
  roles.558085875:  "sandbox-boot" => "sandbox-boot"
  roles.672936668:  "appcluster03-boot" => ""
  roles.706674977:  "etcdcluster01-boot" => ""

results in errors such as:

* aws_iam_policy_attachment.logcluster01-boot-BootDefault: [WARN] Error updating user, role, or group list from IAM Policy Attachment logcluster01-boot-BootDefault:
– NoSuchEntity: Policy arn:aws:iam::SNIP:policy/BootDefault was not found.
    status code: 404, request id: 9fc3a67f-eb18-11e5-b078-db0075656f6a
* aws_iam_policy_attachment.sandbox-boot-BootDefault: [WARN] Error updating user, role, or group list from IAM Policy Attachment sandbox-boot-BootDefault:
– NoSuchEntity: Policy arn:aws:iam::SNIP:policy/BootDefault was not found.
    status code: 404, request id: 9fe251bb-eb18-11e5-8dde-d72429bbcd13

I suspect this has something to do with us attaching a single policy to multiple roles. Example policy definition here:

resource "aws_iam_policy_attachment" "logcluster01-boot-BootDefault" {
    name = "logcluster01-boot-BootDefault"
    policy_arn = "arn:aws:iam::SNIP:policy/BootDefault"
    roles = ["${aws_iam_role.logcluster01-boot.name}"]
}

I'm currently using HEAD as of 03/15/16:

$ terraform version
Terraform v0.6.13-dev (a1f77891611f47ad0c561d16a67007f4419a2358)

[bflad]

For those finding this old issue which I'm going to close out now, we updated the aws_iam_policy_attachment resource documentation to very obviously display a big red warning message at the top. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html

WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via some mechanism other than Terraform will have that attached policy revoked by Terraform. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead. These resources do not enforce exclusive attachment of an IAM policy.

In almost all cases we tend to highly recommend using the separate aws_iam_group_policy_attachment, aws_iam_role_policy_attachment, and aws_iam_user_policy_attachment resources.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!