Failing to delete a role if if policies are attached

[aleybovich]

I'm using TF v0.9.7
I am adding a simple service role. Then I am running terraform destroy to delete that role and I am getting an error aws_iam_role.code-deploy-ec2-instance-profile: DeleteConflict: Cannot delete entity, must detach all policies first.

After some troubleshooting I realized that turbot (the 3rd party software that manages our enterprise aws accounts) attaches its own additional policies to any created roles. So, when terraform tries to delete the role, those policies, added outside of terraform, cause the error.

Is there any way to force detach all unmanaged policies using terraform so I could successfully destroy the managed role?

[radeksimko]

Hi @aleybovich
this is expected behaviour. Generally speaking it's a good (and expected) practice when using most IaC tools like Terraform to choose one for managing the whole infra or at least specific part of it (e.g. IAM roles, or all of IAM, or specific IAM role) to avoid tools and users fighting with each other.

That said (which is why I labelled this as enhancement) we could add a new field to aws_iam_role, something like force_delete which would also detach policies.

[aleybovich]

@radeksimko - thank you for looking into this!

I understand that it's an expected behavior. Unfortunately, unmanaged policies are being added and that's outside of my control :) If you could add a flag that would force delete a role even if it has policies attached, that would greatly help me and anyone who's using 3rd party access control tools like turbot. Is it something you could add in the near future? I'm pretty much blocked until then :(

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.