-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes to inline_policy
blocks on aws_iam_role
always recreates policy
#22336
Comments
inline_policy
blocks on aws_iam_role
always show as recreationsinline_policy
blocks on aws_iam_role
always recreates policy
Adding some extra information as I think this is also related but not 100% sure. When using a blank inline policy (which enforces that any added inline policy is removed). See example: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#example-of-removing-inline-policies As of version 3.70 the inline block will always show a change (even if there is no inline policy to remove): 3.69.0 works as expect. |
I also have this issue, but I don't think it's the same cause, so it should probably be split out into a different ticket. I believe the inline policy update issue is not a regression. |
This makes it difficult to see what the actual changes to the policy are. |
I think part of the problem here is that the schema of Alternatively, maybe it would be possible to create a custom diff for |
This is actually a bit of a theme in a lot of issues with this provider: |
@tmccombs Hit the same issue. I'll take a look at updating the custom diff for the policies to see if that could be updated to resolve this as that would break backwards compatibility. |
I guess another alternative would be to have some sort of flag for not using @justinretzolk Would it be possible to have one of the maintainers give input in here before I start development? More than willing to help contribute this, just need to know which direction I should go before I start development. |
One advantage of inline_policy over aws_iam_role_policy, is that it is better for detecting drift, since it will show a diff if there is a policy that isn't managed as part of the role. There is a similar issue with security group rules. |
@tmccombs Ahhh good point. Let me make an upstream issue on terraform then because as you said, this seems like a common issue with |
So from this thread from discuss Hashicorp about |
Are there any plans to migrate this provider to the terraform-plugin-framework? |
I'm going to attempt to upgrade |
I'm going to try to break this updates into parts as much as possible as it will be a pretty big changeset. This first PR is just add arn valid functionality to internal terraform validators for the plugin framework |
@justinretzolk Not sure the right channel to ask this but wanted to check before working more on my PR to upgrade the IAM resource to the plugin framework from sdk v2. I was planning on taking the |
@teddylear were you able to get any direction on this? cc @justinretzolk |
@atheiman I haven't so far. I was waiting on a response, but for now I'll continue to work on this with using the |
Was able to make above open PR that should resolve issue. resource "aws_iam_role" "main" {
assume_role_policy = data.aws_iam_policy_document.trust.json
name = "terraform-issue-reproduction"
inline_policies = {
"InlinePolicy" = data.aws_iam_policy_document.inline.json
}
}
# Inline policy document that we'll be changing
data "aws_iam_policy_document" "inline" {
statement {
sid = "S3"
actions = ["s3:ListBucket"]
resources = [
"arn:aws:s3:::some-bucket-a",
# After the first apply, uncomment this next line
# "arn:aws:s3:::some-bucket-b",
]
}
}
# Minimal, arbitrary trust statement to make the role valid
data "aws_iam_policy_document" "trust" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
}
} And the plan to add second bucket in inline policy produces this plan which is close to original one in ticket: # aws_iam_role.main will be updated in-place
~ resource "aws_iam_role" "main" {
id = "terraform-issue-reproduction"
~ inline_policies = {
~ "InlinePolicy" = jsonencode(
~ {
~ Statement = [
~ {
~ Resource = "arn:aws:s3:::some-bucket-a" -> [
+ "arn:aws:s3:::some-bucket-b",
+ "arn:aws:s3:::some-bucket-a",
]
# (3 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
)
}
name = "terraform-issue-reproduction"
# (8 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy. Adding a third bucket produces this plan which is even more user friendly: # aws_iam_role.main will be updated in-place
~ resource "aws_iam_role" "main" {
id = "terraform-issue-reproduction"
~ inline_policies = {
~ "InlinePolicy" = jsonencode(
~ {
~ Statement = [
~ {
~ Resource = [
+ "arn:aws:s3:::some-bucket-c",
"arn:aws:s3:::some-bucket-b",
# (1 unchanged element hidden)
]
# (3 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
)
}
name = "terraform-issue-reproduction"
# (8 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy. If there is anything I should change to update about this please let me know. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
resource.aws_iam_role
data.aws_iam_policy_document
in the reproductionTerraform Configuration Files
Debug Output
Redacted debug-level log: https://gist.github.com/danopia/0941f0d5f487432770c670603b221ea1
Expected Behavior
Because the
inline_policy
blocks have the samename
value, Terraform should view this change as an update to the existinginline_policy
:I'd expect the diff to look like this:
Actual Behavior
Terraform prints a diff showing an
inline_policy
removal and then also aninline_policy
creation:Also, from the attached debug log, we can see that Terraform is actually doing a delete-then-create sequence:
Steps to Reproduce
terraform apply
some-bucket-b
terraform apply
References
I've found this issue mentioned within other
inline_policy
issues:The text was updated successfully, but these errors were encountered: