provider/aws : IAM policy attachment/detach bug ?

[hashibot]

This issue was originally opened by @saswatp as hashicorp/terraform#6045. It was migrated here as part of the provider split. The original body of the issue is below.

---

I have a AWS policy ARN and and I am attaching a role to that policy. Since the policy is a global policy (arn:aws:iam::aws:policy/AmazonS3FullAccess) , there are some other users also associated with that policy ( not through terraform) . In my plan and apply , I am not explicitly attaching a particular user.

When I detach the role from policy , terraform detaches users associated with that policy. So ,the bug is we don't explicitly attach users to a policy , however when we detach a role from policy we also detach users that we didn't attach in the first place. I tried to hack around by providing a null value for user , assuming that when I detach , it won't detach other users as the user I am associating is null. That failed as a "" user can't be attached in the first place.(doesnt exist)

Detaching an IAM policy detaches users attached to that policy

resource "aws_iam_policy_attachment" "management-host-policy-attach" { name = "${var.service}-management-attachment" roles = ["${aws_iam_role.management-instance-role.name}"] //users = ["${var.iam_users}"] policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" lifecycle { create_before_destroy = true } }

terraform version
Terraform v0.6.15-dev (b20f680cbf0505825e6ae173c5986243683d8eb3)

[foragerr]

⚠️ ⚠️ ⚠️ ❗️ PSA:

Terraform removes attachments that are not terraform-managed, this is hugely disruptive and downright dangerous to use in a live environment. Folks should probably stick with using aws_iam_role_policy_attachment instead of aws_iam_policy_attachment

[garbelini]

aws_iam_policy_attachment as it is implemented today is insanely dangerous and should be either fixed to not touch attachments it never knew about or removed from terraform.

[bflad]

For those finding this old issue which I'm going to close out now, we updated the resource documentation to very obviously display a big red warning message at the top. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html

WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via some mechanism other than Terraform will have that attached policy revoked by Terraform. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead. These resources do not enforce exclusive attachment of an IAM policy.

In almost all cases we tend to highly recommend using the separate aws_iam_group_policy_attachment, aws_iam_role_policy_attachment, and aws_iam_user_policy_attachment resources.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!