aws_iam_role.force_detach_policies no longer works

[hashibot]

This issue was originally opened by @aleybovich as hashicorp/terraform#16637. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Reproduce:

1. Create an aws role with terraform

resource "aws_iam_role" "sample-instance-role" {
   name               = "sample-instance-role"
   path               = "/"
   force_detach_policies = true
   ... other stuff ...
}

2. Manually add another policy to that role (e.g. via aws console)
3. run terraform destroy

You get an error sample-instance-role: DeleteConflict: Cannot delete entity, must detach all policies first.

force_detach_policies feature has been added a few months ago specifically for this purpose - it detaches all policies that weer added outside of terraform so that the role can be deleted. This used to work briefly in one or two versions but it no longer does in 0.10.7

Documentation: https://www.terraform.io/docs/providers/aws/r/iam_role.html#force_detach_policies

[atsushi-ishibashi]

@aleybovich There is a possibility that policies is truncated because a lot of policies are attached.
Could you share how many policies are attached?
https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#ListAttachedRolePoliciesOutput

[aleybovich]

There are five policies that get attached to all aws roles automatically via Turbot, after those roles are added. That was the reason that I've filed the initial change request a year or so ago and it was implemented. It used to work for a bit but now no longer does.

…

On Nov 18, 2017 12:02 PM, "atsushi-ishibashi" ***@***.***> wrote: @aleybovich <https://github.com/aleybovich> There is a possibility that policies is truncated because a lot of policies are attached. Could you share how many policies are attached? https://docs.aws.amazon.com/sdk-for-go/api/service/iam/# ListAttachedRolePoliciesOutput — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2279 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAkqkRiqJwUK7A4VCVrIiIbYZDTq3lcFks5s3w25gaJpZM4QdGrQ> .

[atsushi-ishibashi]

@aleybovich
https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html

Lists the names of the inline policies that are embedded in the specified IAM role.
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies.

Probably inline policies are still attached. For force_detach_policies, ListAttachedRolePolicies is used.

[aleybovich]

@atsushi-ishibashi - the only inline policy that role has is the one I add in the same terraform template (terraform destroy should take care of that, I assume); all Turbot policies are attached.

[atsushi-ishibashi]

@aleybovich I submitted PR to fix this👍

[aleybovich]

Thank you! Whats the usual turnaround for a pull request like this one?

[atsushi-ishibashi]

Probably...
open issue -> anyone submit PR if needed
or
submit PR with details when you find and solve by yourself.

Refer CONTRIBUTING.md

[bflad]

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!