aws_iam_role : "must detach all policies first" when changing role path even with force_detach_policies = true

[ebarault]

Terraform Version

Terraform v0.11.2
AWS provider 1.7.1

Affected Resource(s)

• aws_iam_role

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "aws_iam_role" "role" {
    name        = "my_name"
    path        = "/my/path/"

    force_detach_policies = true

    assume_role_policy =
<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${var.account_id}:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "policies_by_arns" {
    count      = "${length(var.policy_arns)}"
    role       = "${aws_iam_role.role.name}"
    policy_arn = "${var.policy_arns[count.index]}"
}

Expected Behavior

when changing aws_iam_role.path, the policies should be detached, then the role destroyed and created again

Actual Behavior

1 error(s) occurred:
* aws_iam_role.role (destroy): 1 error(s) occurred:
* aws_iam_role.role: DeleteConflict: Cannot delete entity, must detach all policies first.

References

Possibly linked
#2279

[bflad]

@ebarault do you happen to have debug log output here and does this happen consistently for you? I'm thinking this doesn't have anything to do with updating the path specifically (that should just cause a regular destroy/create), but maybe we need to adjust the eventual consistency retry time currently present here: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_role.go#L326

[bflad]

It's also unfortunate that the AWS API does not support updating an IAM role path (unlike IAM groups and users). 😄

[FireballDWF]

I just encountered same issue with aws_provider 1.8.0, with only change to the resource was defining the path.

[FireballDWF]

Reproduced the problem with TF_LOG=DEBUG. Willing to send logs directly to a developer or troubleshooter, but do not want to post publicly.

[rodush]

Similar type of error, but I am trying to add tags to aws_iam_role resource:

resource "aws_iam_role" "ecs_task_role" {
  name        = "${var.service_name}-task-role-${var.environment}"
  description = "Main role for the ${var.service_name} tasks."

  force_detach_policies = true

  assume_role_policy = "${data.aws_iam_policy_document.ecs_task_assume_role.json}"

  tags = "${local.tags}"
}

And the error I see:

2 error(s) occurred:

* aws_iam_role.task_role (destroy): 1 error(s) occurred:

* aws_iam_role.task_role: DeleteConflict: Cannot delete entity, must detach all policies first.
	status code: 409, request id: 164XXXXX-a711-......
* aws_iam_role.ecs_task_role: 1 error(s) occurred:

* aws_iam_role.ecs_task_role: Error creating IAM Role live-chat-task-role-dev: EntityAlreadyExists: Role with name live-chat-task-role-dev already exists.
	status code: 409, request id: 043XXXXX-a711-.....

[KursLabIgor]

same for me. On aws provider 2.46 version all worked fine

[derekmurawsky]

I'm also having this issue after upgrading.

[stavenko]

Have same issue when doing 'terrafom destroy'

[clemlesne]

Same issue for me when a role name is updated. This is really annoying and force me to delete manually the resources.

Same as : hashicorp/terraform#2761 and #5417.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.