Can't delete IAM role because policies are attached

[ghost]

This issue was originally opened by @rhettg as hashicorp/terraform#2761. It was migrated here as a result of the provider split. The original body of the issue is below.

---

I renamed a policy and when attempting to apply it, failure:

Error applying plan:

6 error(s) occurred:

* Error deleting IAM Role SecretsStagingReadAccess: DeleteConflict: Cannot delete entity, must detach all policies first.
    status code: 409, request id: [d1a50611-2c10-11e5-9a88-316fd3525d8b]
* aws_iam_policy_attachment.secrets-read-stage: diffs didn't match during apply. This is a bug with Terraform and should be reported.
* Error deleting IAM Role SecretsProductionReadAccess: DeleteConflict: Cannot delete entity, must detach all policies first.
    status code: 409, request id: [d1b5cf2c-2c10-11e5-b08f-8197d6e94b96]
* aws_iam_policy_attachment.secrets-read-prod: diffs didn't match during apply. This is a bug with Terraform and should be reported.
* Error deleting IAM Role SecretsDevelopmentReadAccess: DeleteConflict: Cannot delete entity, must detach all policies first.
    status code: 409, request id: [d1baff1b-2c10-11e5-9a88-316fd3525d8b]
* aws_iam_policy_attachment.secrets-read-dev: diffs didn't match during apply. This is a bug with Terraform and should be reported.

I don't think there is anything special about my configuration, but it looks something like:

resource "aws_iam_policy" "secrets-full" {
  name = "SecretsFullAccess"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.secrets-prod.id}/*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.secrets-stage.id}/*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.secrets-dev.id}/*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "secrets-full" {
    name = "secrets-full"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "secrets-full" {
  name = "secrets-full-attachement"
  roles = ["${aws_iam_role.secrets-full.name}"]
  policy_arn = "${aws_iam_policy.secrets-full.arn}"
}

The error occurred after changing the role name.

[jthenne]

I'm pretty sure it's related to aws created policies that have been attached using aws_policy_attachement. All others got deleted from my role without an issue.

[rekahsoft]

Similar to @jthenne, I have hit this issue when policies are attached with aws_iam_policy_attachment but do not experience it when using any of aws_iam_role_policy_attachment, aws_iam_group_policy_attachment or aws_iam_user_policy_attachment. I attempted to change the path of an existing resource which causes it to be removed and recreated, but fails with the same error as given in this issue. I require the exclusive role attachment property of the aws_iam_policy_attachment resource, and do not want to use the specific iam entity policy attachment resources.

Additionally, if I add a lifecycle block with create_before_destroy for the role used in the policy attachment, it fails as I am attempting to change the path of the role so terraform tries to create a role with the same, however role names must be unique. So the only workaround I have for the time being is to detach the policies manually or comment out the aws_iam_policy_attachment resources, terraform apply and then uncomment them and terraform apply.

[jdeluyck]

I'm hitting this problem just trying to delete a policy that has been attached using aws_iam_role_policy_attachment. and that is in use. I would have expected TF to go ahead and delete the attachment.

[mutabletao]

TF does not work with AWS IAM correctly. It has not in the past at 3 years. hashicorp/terraform#3749

hashicorp/terraform#2761

#5417

This is an ongoing issue that has never been addressed/corrected

[bflad]

Hi folks 👋

The aws_iam_policy_attachment resource performs in-place updates for upstream group/role/user changes, unlike its aws_iam_group_policy_attachment / aws_iam_role_policy_attachment / aws_iam_user_policy_attachment resource counterparts. The difference is subtle, but means that Terraform will order operations in the following manner during renames (Recreate group/role/user -> Update policy attachments) whereas the attachment resources will properly order since they will force recreation (Destroy attachment -> Recreate group/role/user -> Create attachment).

Given this behavior, to setup your Terraform configuration properly for this situation where you want to modify the name or path of roles/users, any aws_iam_role resources must have force_detach_policies enabled and applied before attempting the operation while aws_iam_user resources must have force_destroy enabled and applied before attempting the operation. For example:

resource "aws_iam_policy" "example" {
  name = "example"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_user" "example" {
  force_destroy = true
  name          = "example"
}

resource "aws_iam_policy_attachment" "example" {
  name       = "example"
  policy_arn = "${aws_iam_policy.example.arn}"
  users      = ["${aws_iam_user.example.name}"]
}

I have submitted the following pull request, which ensures modifications to group/role/user names or paths (assuming they are properly enabled beforehand with force_detach_policies for roles and force_destroy for users), will successfully complete as well as augmenting the documentation to note this requirement on the resource documentation pages: #9278

[bflad]

The bugfix and documentation updates for this have been merged and will release with version 2.19.0 of the Terraform AWS Provider, likely in the next two days. 👍

[bflad]

This has been released in version 2.19.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[archenroot]

This doesn't work for me:

resource "aws_iam_role" "lambda_role" {
  name               = "${var.lambda_name}_role"
  assume_role_policy = "${file("${path.module}/lambda_role.json")}"
  force_detach_policies = true
}

resource "aws_iam_role" "apigw_role" {
  name               = "${var.api_gw_name}_role"
  assume_role_policy = "${file("${path.module}/apigw_role.json")}"
  force_detach_policies = true
}

# resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_readwrite" {
#   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
#   role       = "${aws_iam_role.lambda_role.name}"
# }
#
# resource "aws_iam_role_policy_attachment" "api_gw_cloudwatch_logs_readwrite" {
#   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
#   role       = "${aws_iam_role.apigw_role.name}"
# }

# TODO - dynamic mapping
resource "aws_iam_policy_attachment" "lambda_cloudwatch_logs_readwrite" {
  name = "dip2-data-mapping_lambda-CloudWatchLogsFullAccess_role"
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
  roles       = ["${aws_iam_role.lambda_role.name}"]
}

resource "aws_iam_policy_attachment" "api_gw_cloudwatch_logs_readwrite" {
  name = "dip2-data-mapping_apigw-CloudWatchLogsFullAccess_role"
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
  roles       = ["${aws_iam_role.apigw_role.name}"]
}

I am hitting the error...

2.29 AWS provider version

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!