provider/aws : IAM policy attachment/detach bug ?

[saswatp]

I have a AWS policy ARN and and I am attaching a role to that policy. Since the policy is a global policy (arn:aws:iam::aws:policy/AmazonS3FullAccess) , there are some other users also associated with that policy ( not through terraform) . In my plan and apply , I am not explicitly attaching a particular user.

When I detach the role from policy , terraform detaches users associated with that policy. So ,the bug is we don't explicitly attach users to a policy , however when we detach a role from policy we also detach users that we didn't attach in the first place. I tried to hack around by providing a null value for user , assuming that when I detach , it won't detach other users as the user I am associating is null. That failed as a "" user can't be attached in the first place.(doesnt exist)

Detaching an IAM policy detaches users attached to that policy

resource "aws_iam_policy_attachment" "management-host-policy-attach" { name = "${var.service}-management-attachment" roles = ["${aws_iam_role.management-instance-role.name}"] //users = ["${var.iam_users}"] policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" lifecycle { create_before_destroy = true } }

terraform version
Terraform v0.6.15-dev (b20f680)

[thiagonache]

I got some issues here also. I coded a patch which fixed it and submit a new PR #6048

[jeekajoo]

Do you think it's related to #5979 ?

[thiagonache]

Yes.. I think it is....
I opened a new PR and new issue with more information
Issue #6082
PR #6083

[serkanh]

Got the same issue as well. When a managed policy is attached to a role, managed policy (ie: AmazonFullS3Access) is detached from the existing users/groups/roles that are attached outside of terraform manually.

[atward]

I am also seeing this. Terraform is modifying roles that are not even defined in terraform. Example below shows it modifying the default created 'aws-elasticbeanstalk-ec2-role' by elasticbeanstalk.

~ aws_iam_policy_attachment.viewer_eb_webtier
    roles.#:          "2" => "1"
    roles.1946741943: "viewer" => "viewer"
    roles.323212897:  "aws-elasticbeanstalk-ec2-role" => ""

config below:

resource "aws_iam_policy_attachment" "viewer_eb_webtier" {
    name = "viewer_eb_webtier"
    roles = ["${aws_iam_role.viewer.name}"]
    policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
}

Looking at the state shows all the attachments of a policy, even if they do not relate to an attachment:

                "aws_iam_policy_attachment.viewer_eb_webtier": {
                    "type": "aws_iam_policy_attachment",
                    "depends_on": [
                        "aws_iam_role.viewer"
                    ],
                    "primary": {
                        "id": "viewer_eb_webtier",
                        "attributes": {
                            "groups.#": "0",
                            "id": "viewer_eb_webtier",
                            "name": "viewer_eb_webtier",
                            "policy_arn": "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier",
                            "roles.#": "2",
                            "roles.1946741943": "viewer",
                            "roles.323212897": "aws-elasticbeanstalk-ec2-role",
                            "users.#": "0"
                        }
                    }
                },

This ties in with #5947. It is documented in the terraform docs, but breaks the flow if you have multiple terraform configs in a single account.
Also relates to #5483, #4165. Traces back to #2100, with proposals in #4016.

[ocsi01]

The same issue here on v0.7RC-2 !

When deleting an IAM group created by Terraform, it detaches the policies attached to it. Furthermore it also detaches these policies from EVERY other group AND user which are not managed by Terraform.

[joachimdraeger]

I had a similar problem when using aws_iam_policy_attachment. I tried to use it to attach a managed policy to a specific role. This had the effect that the policy got detached from every other role. At first I believed this was a bug but aws_iam_policy_attachment is probably the wrong way of achieving this.
aws_iam_role_policy_attachment works as expected. It attaches the policy to the role and leaves all other roles alone.
I am not sure what the actual use case for aws_iam_policy_attachment is. It allows you to specify a fixed set of roles, users and groups a policy is attached to. When I understand correctly this is mutual exclusive with using aws_iam_role_policy_attachment or attaching the the policy to any other entity using a different tool or terraform project.

From what I have learned so far: Double check if aws_iam_policy_attachment is actually the right resource for your use case.

[c4urself]

I'm considering aws_iam_policy_attachment harmful, and will not use it again. Not only does it cause flopping between states, it will also remove attachments from objects NOT managed by Terraform at all.

I tried switching everything to iam_role_policy_attachment but on 0.7.4 it seems to be exhibiting the same behaviour, I cannot attach one policy to multiple roles via multiple iam_role_policy_attachment objects.

Even when you delete the attachment entirely during an apply, it will STILL detach policies from roles.

[mlconnor]

This is a huge issue causing production issues and we will likely need to discontinue use of Terraform until this is fixed. Hoping to having some feedback from Hashicorp on a fix or workaround.

[Azrael808]

I have just switch to using the aws_iam_role_policy_attachment resource as I was experiencing the same "flip-flopping" behaviour described by @atward and @c4urself. I also found the behaviour to persist, despite using the new resource.

However, I saw a note on #4165 by @hardboiled about using the id attribute instead of the name attribute. Once I updated my templates with this change, everything worked as expected!

For clarity, the documentation currently shows this syntax:

resource "aws_iam_role_policy_attachment" "test-attach" {
    role = "${aws_iam_role.role.name}"
    policy_arn = "${aws_iam_policy.policy.arn}"
}

But I got the desired behaviour by doing:

resource "aws_iam_role_policy_attachment" "test-attach" {
    role = "${aws_iam_role.role.id}"
    policy_arn = "${aws_iam_policy.policy.arn}"
}

One thing I'm not sure is whether the removal of the resource will delete other attachments, but for now, I'm able to proceed without fear that updates to one environment will impact the others.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.