Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update permission boundary on an IAM role with a non existing policy does catch NoSuchEntity error but updates the tfstate #15246

Closed
TanguyCme opened this issue Sep 21, 2020 · 4 comments
Closed

update permission boundary on an IAM role with a non existing policy does catch NoSuchEntity error but updates the tfstate #15246

TanguyCme opened this issue Sep 21, 2020 · 4 comments
Assignees
@gdavison
Labels
service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed. upstream-terraform Addresses functionality related to the Terraform core binary.

Comments

@TanguyCme
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform version: 12.24

Affected Resource(s)

  • aws_iam_role

Terraform Configuration Files

First Apply

provider "aws" {
  version = "3.7.0"
  region  = "us-east-1"
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

# permissions_boundary="arn:aws:iam::XXXXXXX:policy/test"

  tags = {
    tag-key = "tag-value"
  }
}

tfstate

{
  "version": 4,
  "terraform_version": "0.12.24",
  "serial": 4,
  "lineage": "",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "aws_iam_role",
      "name": "test_role",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "arn": "arn:aws:iam::XXXXXXX:role/test_role",
            "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}",
            "create_date": "2020-09-21T15:16:55Z",
            "description": "",
            "force_detach_policies": false,
            "id": "test_role",
            "max_session_duration": 3600,
            "name": "test_role",
            "name_prefix": null,
            "path": "/",
            "permissions_boundary": null,
            "tags": {
              "tag-key": "tag-value"
            },
            "unique_id": "XXXXXXXXXXXXX"
          }
        }
      ]
    }
  ]
}

Second Apply

provider "aws" {
  version = "3.7.0"
  region  = "us-east-1"
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

permissions_boundary="arn:aws:iam::XXXXXXX:policy/test" #This policy does not exists

  tags = {
    tag-key = "tag-value"
  }
}

Output

Error: Error creating IAM Role test_role: NoSuchEntity: Scope ARN: arn:aws:iam::XXXXXXX:policy/test does not exist or is not attachable.
	status code: 404, request id: 82ce333a-7fa6-4e36-bbcf-91699f33efe7

Expected Behavior

The terraform state remains unmodified

Actual Behavior

The terraform state now contains:

{
  "version": 4,
  "terraform_version": "0.12.24",
  "serial": 4,
  "lineage": "",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "aws_iam_role",
      "name": "test_role",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "arn": "arn:aws:iam::XXXXXXX:role/test_role",
            "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}",
            "create_date": "2020-09-21T15:16:55Z",
            "description": "",
            "force_detach_policies": false,
            "id": "test_role",
            "max_session_duration": 3600,
            "name": "test_role",
            "name_prefix": null,
            "path": "/",
            "permissions_boundary": "arn:aws:iam::XXXXXXX:policy/test",
            "tags": {
              "tag-key": "tag-value"
            },
            "unique_id": "XXXXXXXXXXXXX"
          }
        }
      ]
    }
  ]
}

The object in the state should not have the reference to a permission boundary since the first apply has failed and no resource has been modified on AWS, in our case, a third apply works fine and see no changes even if the permission boundary may now exist.

Steps to Reproduce

  1. terraform init with a file named main.tf
  2. terraform apply with the first code
  3. terraform apply with the second code, you see the error but the state is updated
  4. terraform apply again with the same code, no error is shown as if the permission boundary is set but not in reality.
@ghost ghost added the service/iam Issues and PRs that pertain to the iam service. label Sep 21, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 21, 2020
@gdavison
Copy link
Contributor

Hi @TanguyCme, thanks for raising this issue. This is an error in our shared Terraform Plugin SDK hashicorp/terraform-plugin-sdk#476.

Is this issue having an impact on your Terraform workflows?

@gdavison gdavison added upstream-terraform Addresses functionality related to the Terraform core binary. waiting-response Maintainers are waiting on response from community or contributor. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 23, 2020
@gdavison gdavison self-assigned this Sep 23, 2020
@TanguyCme
Copy link
Author

hi @gdavison. Thanks for your response, I've found a workaround with little modification on the aws-provider code, I was willing to submit a PR with the changes but regarding the link above it may not be relevant?
FYI I've tested the change by my side (change on resourceAwsIamRoleUpdate function) and it worked like a charm.

I will qualify the impact as low since no production system is impacted, but I was still surprised by this behavior.

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Sep 23, 2020
TanguyCme pushed a commit to TanguyCme/terraform-provider-aws that referenced this issue Sep 23, 2020
fix issue hashicorp#15246
4030c48
@TanguyCme TanguyCme mentioned this issue Sep 23, 2020
Closed
@github-actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 14, 2022
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 14, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gdavison gdavison

Labels
service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed. upstream-terraform Addresses functionality related to the Terraform core binary.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix issue #15246 TanguyCme/terraform-provider-aws
2 participants
@gdavison @TanguyCme