minio_iam_service_account resource keeps dropping policy.

[dmaes]

Description

minio_iam_service_account resource keeps dropping policy.

Steps to Reproduce

• Create a user
• Create a service account for this user
• Attach a policy to this user

resource "minio_iam_user" "user" {
  name = var.name
}

resource "minio_iam_service_account" "sa" {
  target_user = minio_iam_user.user.name
}

resource "minio_iam_user_policy_attachment" "policy" {
  for_each    = toset(var.policies)
  user_name   = minio_iam_user.user.name
  policy_name = each.key
}

Expected behavior:
Clean terraform runs when nothing has changed

Actual behavior:
The service account's policy is set to the policies from it's user. Terraform picks this up, sees no policy defined in code, and tries to drop it on every run. Policy should be changed if any is defined and differs, but should be ignored when none is defined in code.

Reproduces how often: Always

Versions

Terraform: 1.5.5
Module: 1.18.0

Additional Information

Seems related to/introduced by Issue #501 and PR #502

[ArataEM]

I think that the better way would be to apply empty policy if none is set for minio_iam_service_account.
This way we can avoid cases like:

• Copy service account policy from interface
• Change user's policy

In this case terraform apply won't change service account's policy, but it will be changed because user's policy has changed.

Functionally service account without policy has the same permissions as with user's policy.

[dmaes]

Tested your PR, looks good.