aws_iam_role_policy name collision

[frumpled]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.11.10

Provider: aws
Provider version:~> 1.57

Affected Resource(s)

• aws_iam_role_policy

Terraform Configuration Files

resource "aws_iam_role_policy" "some_policy_1" {
  name   = "${var.policy_name}"
  role   = "some_role_name"
  policy = "${data.aws_iam_policy_document.some_policy_1.json}"
}

resource "aws_iam_role_policy" "some_policy_2" {
  name   = "${var.policy_name}"
  role   = "some_role_name"
  policy = "${data.aws_iam_policy_document.some_policy_2.json}"
}

Expected Behavior

The plan fails and reports that there's a collision of resources and identifies these resources.

Actual Behavior

When two aws_iam_role_policy resources share a name (they shouldn't, but things happen, especially in shared repositories 🤷‍♂️ ):

• terraform plan shows that changes are detected and shows that policy resources are being updated.
• terraform apply shows that the changes applied and there is nothing else to report, concealing the fact that an existing policy was swapped out / overwritten and that a new plan would result in more changes.

Running the plan and apply commands does not report an issue and appears to apply both as intended,
however it actually overwrites one and subsequent plans/applies just swap one out for the other in an endless a loop, reporting no issue.

Steps to Reproduce

1. terraform plan
2. terraform apply

Important Factoids

Terraform plans and applies were done using "atlantis":
https://github.com/runatlantis/atlantis

Because of this, I can't actually run terraform -v or similar; atlantis does not give this as an option 😿

[bflad]

Hi @frumpled 👋 Thank you for submitting this and this is an excellent use case of somewhere that Terraform and the Terraform AWS Provider could be much more helpful since in many cases they have enough information to return an error upfront during planning instead of unexpected behavior during apply.

I believe this falls under the provider-wide enhancement proposal of #14394, so by adding this link here it will add a reference to that issue so we can include it as a use case when thinking about the implementation details. Since this is likely something we will want more broadly across many resources, I'm going to close this particular issue to consolidate discussions, efforts, and prioritization on the topic while the reference would serve as the cue to make this specific resource one of the initial implementations. I would suggest those 👍 upvoting and subscribing here to do so on #14394 so we can appropriately gauge interest. Please feel free to provide feedback there.

Thanks again!

[frumpled]

Thanks for the helpful info and tidying things up into a single issue @bflad 😄

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!