Failing to delete a role if if policies are attached

[hashibot]

This issue was originally opened by @aleybovich as hashicorp/terraform#15301. It was migrated here as part of the provider split. The original body of the issue is below.

---

I'm using TF v0.9.7
I am adding a simple service role. Then I am running terraform destroy to delete that role and I am getting an error aws_iam_role.code-deploy-ec2-instance-profile: DeleteConflict: Cannot delete entity, must detach all policies first.

After some troubleshooting I realized that turbot (the 3rd party software that manages our enterprise aws accounts) attaches its own additional policies to any created roles. So, when terraform tries to delete the role, those policies, added outside of terraform, cause the error.

Is there any way to force detach all unmanaged policies using terraform so I could successfully destroy the managed role?

[aleybovich]

As suggested by @radeksimko in the original ticket, can you please add the ability to force detach any attached policies before deleting a role? That would be a great help for anyone in the same situation as myself. Basically, if you could add a flag force_detach_policies or smth like that to aws_iam_role resource and if it's true then on resource removal it wouldn't fail if any policies are attached but would detach them and delete the role.

[rafaljanicki]

Hey @stack72 , unfortunately it seems it doesn't work correctly in the newest Terraform version (0.10.0):

This is a snippet from my terraform template:

data "aws_iam_policy_document" "instance-assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "iam_role" {
  name = "PackerInstanceRole"
  force_detach_policies = true
  assume_role_policy = "${data.aws_iam_policy_document.instance-assume-role-policy.json}"
}

And the error:

aws_iam_policy.iam_policy: Refreshing state... (ID: arn:aws:iam::712852996757:policy/terraform-00765260f3d11ad2517755fba4)
data.aws_iam_policy_document.instance-assume-role-policy: Refreshing state...
aws_iam_role.iam_role: Refreshing state... (ID: AssumeEC2)
aws_iam_instance_profile.instance_profile: Refreshing state... (ID: PackerInstanceProfile)
aws_iam_policy_attachment.iam_attachment: Refreshing state... (ID: PolicyToRole)
aws_iam_role.iam_role: Destroying... (ID: AssumeEC2)
aws_iam_role.iam_role: Still destroying... (ID: AssumeEC2, 10s elapsed)
aws_iam_role.iam_role: Still destroying... (ID: AssumeEC2, 20s elapsed)
aws_iam_role.iam_role: Still destroying... (ID: AssumeEC2, 30s elapsed)
Error applying plan:

1 error(s) occurred:

* aws_iam_role.iam_role (destroy): 1 error(s) occurred:

* aws_iam_role.iam_role: DeleteConflict: Cannot delete entity, must detach all policies first.
        status code: 409, request id: 52f24bb2-7a81-11e7-8075-6fb76cb9ab79

I know that the flag was included in the newest version of the Terraform, so is there anything I'm doing wrong?

[Laxman-SM]

Hi My IAM policy created in first terraform run, than when i am running same apply with few updates than i'm getting this message.

my question how to remove this message. i am using 0.11.2 terraform version.

Error: Error applying plan:

3 error(s) occurred:

• aws_iam_role.docker_registry_permissions: 1 error(s) occurred:

• aws_iam_role.docker_registry_permissions: Error creating IAM Role docker-registry-permissions: EntityAlreadyExists: Role with name docker-registry-permissions already exists.
  status code: 409, request id: 93366b1b-00f3-11e8-9d81-abe702fc5a1c

• aws_iam_user.registry_user: 1 error(s) occurred:

• aws_iam_user.registry_user: Error creating IAM User registry: EntityAlreadyExists: User with name registry already exists.
  status code: 409, request id: 9337a30b-00f3-11e8-bc9c-036a98942ec1

• aws_iam_policy.docker_registry_s3_access: 1 error(s) occurred:

• aws_iam_policy.docker_registry_s3_access: Error creating IAM policy docker-registry-s3-access: EntityAlreadyExists: A policy called docker-registry-s3-access already exists. Duplicate names are not allowed.
  status code: 409, request id: 9336dfba-00f3-11e8-bc9c-036a98942ec1

[bflad]

Hi @Laxman-SM! Sorry you're having trouble. You can use the import functionality to bring in existing infrastructure into Terraform, e.g. aws_iam_role import documentation. If you have further problems, I would suggest opening a new Github issue or asking your question on the terraform-tool Google Group for better visibility over a comment in a closed issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!