-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
destroying aws_iam_policy_attachment to a managed policy deletes everyone's attachments #5483
Comments
Same thing here. version 0.6.12. We noticed that specifically AmazonS3FullAccess kept on disappearing from other roles, which gave us a little headache in production! Only today did I notice that the terraform changelog operated on roles that were outside of the stack. |
I think this also happens when just running an update (terraform apply) on IAM attachments that you already created with terraform. So it's pretty destructive whenever terraform tries to do any syncing of its knowledge of IAM attachments vs what actually exists in AWS. I think what’s happening is that when terraform tries to reconcile its state file with the state of the world it looks for anyone with the attached policies, and if the attachment is not in its state file (because it was created through some other method), terraform assumes it should be detached. The offending code is around https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/resource_aws_iam_policy_attachment.go#L106. |
+1, we locked ourselves out of our account with this |
Further looking into this, and this issue is similar, if not a duplicate of, issue #2100. In any event, I've verified that @graycoder's fix in PR #4016 resolves the role-based break case presented and the approach makes sense. Good work! |
+1, we locked ourselves out of all accounts with this bug again. |
Seconded. The problem here is that the relationship of the attachment is 1 policy : many roles/users/groups. Terraform is viewing the attachment from the perspective of the policy. Perhaps an alternative resource/mechanism to attach many policies to 1 role/user/group would suit. |
+1 - it becomes almost impossible to manage policies within one account with the current implementation. Policies get removed from previous |
Because #6858 was mentioned as possibly superseding #4016, I retested this against current master (which includes #6858) and confirm that the test cases above still fail. Would be really great if #4016 could be reviewed and merged if acceptable. It has had several eyes across it in the last six months. Without it we have to duplicate managed policies rather than use official polices and risk having policy attachments accidentally removed. |
@slowbluecamera in your test case did you switch your resources to be the new ones introduced in #6858 where you map a single attachment to a single user/role/group (different resources for each one)? |
@johnrengelman : My apologies, I did simply re-test the above without understanding the change fully. Specifically replacing the existing policy attachment:
With the new resource:
Works as desired. Good stuff! Look forward to using this in forthcoming version. |
This has been affecting me as well. Is there any update on the fix to this? |
I've ran into this myself. Specifically, when trying to attach the same managed policy to a second role in the same account
Here etcd-cluster-node-role already exists and has the same managed policy attached, but is not part of the current Terraform state. Still, terraform plans to remove it's attachment. I currently sifting through the Terraform code to figure out what's causing this. Will update here when I find something. |
@grahamsk @alexsomesan - have you tried using the new resources that are specific to role, group, and user instead of the catch all that can assign all those in one (as per my comment above)? |
@johnrengelman I have, and that works. The root issue though is that those are from perspective of the respective resource. Similarly, aws_iam_policy_attachment is from the perspective of the Policy. If you're dealing with a user and set the policy list (empty), you remove that policy from the user. If you're dealing with a policy and set the attachment list (empty), you remove anything that was attached to the policy. The difficulty here is being able to define the resource in either direction. TF may need to make sure that adding this resource matches the list already in place before successfully adding it. |
The point of the new resources is to manage the resources from the pov of the attachment itself just as the aws API models it: an attachment of a policy to a single resource. See http://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html |
We're experiencing the same issue mentioned by @alexsomesan |
@johnrengelman I've tried switching to aws_iam_role_policy_attachment and it seem to have fixed the issue here. |
seems related to #6045, the |
@c4urself can you post a copy of your TF files that is using the |
I can confirm that switching to role_policy fixes the problem for me as well. Please note that after switching all your plans to this, you do need to run all of them once. Following by running all of them once more. As the first time you switch each plan will still trigger a global delete. |
I can confirm the switching to role_policy_attachment, also works for me on 0.9.7 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
If you use the "aws_iam_policy_attachment" resource to attach a role to a managed_policy, when you destroy the configuration, it will remove attachments made by other configurations, or even manually setup attachments.
In the example configurations below, configuration "plan_one.tf" sets up an attachment to the "AWSLambdaBasicExecutionRole" managed policy. The configuration "plan_two.tf" also sets up a similar attachment. If you apply both configurations, and then delete one, you'll find that both attachments have bene removed.
Also, if you have set up role attachments to the managed policy by other scripts, or manually, then you will find that those attachments have been removed (which is how we discovered it! :-( ).
Have reproduced this in terraform-0.6.12 on OSX.
(This is my first issue reported to the terraform project. I've reviewed submitting guidelines and tried to be complete, but I'd like this issue to be as useful as possible. So if there is any additional information needed or changes in style that would be helpful, please don't hesitate to let me know. Thanks!)
Workarounds:
Steps to reproduce:
export TF_VAR_access_key=AWS ACCESS KEY
export TF_VAR_secret_key=AWS SECRET KEY
Notice that the policy attachment in
plan_two.tf
is no longer there.plan_one.tf
two/plan_two.tf
variables.tf (identical in both configurations)
The text was updated successfully, but these errors were encountered: