Failure to detect drift in aws_iam_instance_profile resource

[ghost]

This issue was originally opened by @milh0use as hashicorp/terraform#20023. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

0.11.11 (provider.aws 1.52.0)

...

Terraform Configuration Files

resource "aws_iam_instance_profile" "example_instance_profile" {
  name = "example_instance_profile"
  role = "${aws_iam_role.example_role.name}"
}

resource "aws_iam_role" "example_role" {
  name = "example_role"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
  tags = {
    "Terraform" = "True"
  }
}

resource "aws_iam_role_policy" "example_iam_role_policy" {
  name = "example_iam_role_policy"
  role = "${aws_iam_role.example_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowToAssumeRole",
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": [
        "${data.terraform_remote_state.example-policy.role_arn}"
      ]
    },
    {
          "Effect": "Allow",
          "Action" : [
            "ec2:RunInstances",
            ...
          ],
          "Resource" : "*"
  }
  ]
}
EOF
}

Debug Output

Crash Output

Expected Behavior

I've read the excellent article on drift, but we've hit a situation where terraform-managed infrastructure was modified in the AWS console and a terraform apply failed to restore the changes as it failed to detect a modification of the configuration (the list of roles attached to the instance profile) of an aws_iam_instance_profile resource. I would have thought this is a change that terraform could potentially detect and fix.

Actual Behavior

terraform plan recognises that deleted resources need to be recreated but doesn't restore all the links between the resources.

Steps to Reproduce

Note that in the steps below, some of the steps might happen automatically when other steps are done (such as removing a role from an instance profile might happen automatically when you delete the role). A colleague made the changes in the AWS console and I only have the CloudTrail log as evidence of what happened.

1. Create the resources above using terraform
2. Delete the example_role from the AWS console
3. Remove example_role from the example_instance_profile instance profile from the AWS console
4. Delete the example_iam_role_policy role policy from the AWS console

Now run a terraform plan. Terraform detects that it needs to recreate the deleted resources, but doesn't notice that the configuration of the instance profile has changed such that it is no longer linked to the example_role role.

Additional Context

References

[ghost]

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!