Skip to content

IAM: New variable to apply delay in ms between create and update policy version #42054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Sanjay3101 wants to merge 33 commits into from
Closed

IAM: New variable to apply delay in ms between create and update policy version #42054

Sanjay3101 wants to merge 33 commits into from

Conversation

@Sanjay3101
Copy link
Contributor

@Sanjay3101 Sanjay3101 commented Mar 31, 2025
edited
Loading

Description

Currently, when policies are applied, the AWS Terraform provider executes two actions simultaneously: Create a policy and setting it as default version.
These two operations when run in a single operation can expose a brief interval where valid STS tokens with attached Session Policies are rejected by AWS authorization servers that have not received the new default policy version. Separating this into two distinct actions of creating a policy version, pausing briefly, and then setting that to the default version can avoid this issue, and may be required in environments with very high S3 IO loads.

This pull request introduces a new variable delay_after_policy_creation_in_ms which can be used by users to apply a delay between these API calls.

Relations

Closes #0000

References

Output from Acceptance Testing

terraform-provider-aws git:(sanjay/terraform_apply_variables) make testacc TESTS=TestAccIAMPolicy_updateWithoutDelay PKG=iam
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.5 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMPolicy_updateWithoutDelay'  -timeout 360m -vet=off
2025/03/27 15:10:47 Initializing Terraform AWS Provider...
=== RUN   TestAccIAMPolicy_updateWithoutDelay
=== PAUSE TestAccIAMPolicy_updateWithoutDelay
=== CONT  TestAccIAMPolicy_updateWithoutDelay
--- PASS: TestAccIAMPolicy_updateWithoutDelay (29.29s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/iam	46.006sterraform-provider-aws git:(sanjay/terraform_apply_variables) make testacc TESTS=TestAccIAMPolicy_updateWithDelay PKG=iam
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.5 test ./internal/service/iam/... -v -count 1 -parallel 20 -run='TestAccIAMPolicy_updateWithDelay'  -timeout 360m -vet=off
2025/03/28 13:44:12 Initializing Terraform AWS Provider...
=== RUN   TestAccIAMPolicy_updateWithDelay
=== PAUSE TestAccIAMPolicy_updateWithDelay
=== CONT  TestAccIAMPolicy_updateWithDelay
--- PASS: TestAccIAMPolicy_updateWithDelay (36.36s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/iam	49.422s

...

...

Sanjay and others added 30 commits January 28, 2025 11:57
AWS: Policy Create and Update Changes
27233e4
Updating the delay to be 3secs
c896fc5
@Sanjay3101
Update policy.go
edf0f0d
@Sanjay3101
Merge pull request #2 from pinterest/sanjay/terraform_change
52ce537 
AWS: Policy Create and Update Changes
@Sanjay3101
Merge branch 'hashicorp:main' into main
34ff6e0
Variables
2dee374
Changing delay to 5secs
01ccd9a
Spell Check correction
40913d3
@Sanjay3101
Merge pull request #4 from pinterest/sanjay/change_delay
a334283 
Changing delay to 5secs
Resolving Merge conflicts
965188f
Removing Variables.tf file
e3aa733
Acceptance TestCases Included
8aa149b
Updating Comment
bd927a4
Fixing Linters
3e266d9
Fixing Linters in TestCase
c1c4fc9
Fixing Linters
e6d5449
Fixing Linters
449d4ae
Fixing Linters
f3f3ae7
Fixing Linters
7acf453
Fixing Linters
fdd52b7
Fixing Linters
9f48ce7
Fixing Linters
8d31a7f
Fixing Linters
8855696
Fixing Linters
8af74a1
Fixing Linters
8d3704a
Fixing Linters
72c57d6
Fixing Linters
459024d
Updating Comments and Testcases
9e31959
Testing change
fb21183
Reverting testing change
a3fe023
@Sanjay3101 Sanjay3101 requested a review from a team as a code owner March 31, 2025 14:58
@github-actions
Copy link
Contributor

github-actions bot commented Mar 31, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 31, 2025

⚠️ We've detected the following potential issues with your pull request

Maintainer Edit Permissions:

At times, our maintainers need to make direct edits to pull requests in order to prepare it to be merged. At the time of opening this pull request, your settings do not allow maintainers to make such edits. If possible, update your settings as described in the following document. If your fork is owned by an organization that limits your ability to make this change, please let us know.

GitHub: Allowing changes to a pull request branch created from a fork

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/iam Issues and PRs that pertain to the iam service. size/L Managed by automation to categorize the size of a PR. labels Mar 31, 2025
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 31, 2025
@gdavison
Copy link
Contributor

gdavison commented Dec 2, 2025

Hi @Sanjay3101, thanks for the PR. Can you please update the PR to allow maintainers to make edits? That will allow us to make any small changes if necessary

gdavison
gdavison requested changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a few comments below. The PR also needs

  • A changelog entry
  • Documentation for the new attribute

internal/service/iam/policy.go
Comment on lines +105 to +109
"delay_after_policy_creation_in_ms": {
Type: schema.TypeInt,
Optional: true,
Default: -1,
},
Copy link
Contributor

@gdavison gdavison Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value can be removed, and below the check should be d.GetOk. The ok value will be false if there is no value set.

internal/service/iam/policy.go
Comment on lines +246 to +272
if delayAfterPolicyCreationInMs == -1 {
input := &iam.CreatePolicyVersionInput{
PolicyArn: aws.String(d.Id()),
PolicyDocument: aws.String(policy),
SetAsDefault: true,
}
_, err = conn.CreatePolicyVersion(ctx, input)

_, err = conn.CreatePolicyVersion(ctx, input)
if err != nil {
return sdkdiag.AppendErrorf(diags, "updating IAM Policy (%s): %s", d.Id(), err)
}
} else {

// Creating a policy and setting its version as default in a single operation can expose a brief interval where
// valid STS tokens with attached Session Policies are rejected by AWS authorization servers that have
// not received the new default policy version. Separating this into two distinct actions of creating a policy version,
// pausing briefly, and then setting that to the default version can avoid this issue, and may be required
// in environments with very high S3 IO loads.

input := &iam.CreatePolicyVersionInput{
PolicyArn: aws.String(d.Id()),
PolicyDocument: aws.String(policy),
SetAsDefault: false,
}

var policyVersionOutput *iam.CreatePolicyVersionOutput
policyVersionOutput, err = conn.CreatePolicyVersion(ctx, input)
Copy link
Contributor

@gdavison gdavison Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The setup and call to CreatePolicyVersion can be combined and the conditional can be for the call to SetDefaultPolicyVersion

internal/service/iam/policy_test.go
Comment on lines +403 to +427
func TestAccIAMPolicy_updateWithoutDelay(t *testing.T) {
ctx := acctest.Context(t)
var out awstypes.Policy
resourceName := "aws_iam_policy.test"
name := "test"
description := "policy_create_update_with_delay"
delayAfterPolicyCreationVariable := "delay_after_policy_creation_in_ms"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.IAMServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckPolicyDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccPolicyConfig_description(name, description),
Check: resource.ComposeTestCheckFunc(
testAccCheckPolicyExists(ctx, resourceName, &out),
resource.TestCheckResourceAttr(resourceName, names.AttrDescription, description),
resource.TestCheckResourceAttr(resourceName, delayAfterPolicyCreationVariable, "-1"),
),
},
},
})
}
Copy link
Contributor

@gdavison gdavison Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This case will be covered by the basic test

internal/service/iam/policy_test.go
Comment on lines +444 to +460
{
Config: testAccPolicyConfig_updateWithDelay(name, description, -1),
Check: resource.ComposeTestCheckFunc(
testAccCheckPolicyExists(ctx, resourceName, &out),
resource.TestCheckResourceAttr(resourceName, names.AttrDescription, description),
resource.TestCheckResourceAttr(resourceName, delayAfterPolicyCreationVariable, "-1"),
),
},
{
Config: testAccPolicyConfig_updateWithDelay(name, description, 3000),
Check: resource.ComposeTestCheckFunc(
testAccCheckPolicyExists(ctx, resourceName, &updatedPolicyOut),
testAccVerifyLatestPolicyId(&out, &updatedPolicyOut),
resource.TestCheckResourceAttr(resourceName, names.AttrDescription, description),
resource.TestCheckResourceAttr(resourceName, delayAfterPolicyCreationVariable, "3000"),
),
},
Copy link
Contributor

@gdavison gdavison Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two steps do not modify the Policy, other than the value of delay_after_policy_creation_in_ms, so it doesn't test the operation of the delay on creation

ewbankkit added a commit that referenced this pull request Dec 30, 2025
@ewbankkit
r/aws_iam_policy: Apply review comments from #42054.
4837537
@ewbankkit ewbankkit mentioned this pull request Dec 30, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@ewbankkit
Copy link
Contributor

ewbankkit commented Jan 5, 2026

@Sanjay3101 Thanks for the contribution 🎉 👏.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gdavison gdavison gdavison requested changes

Assignees

No one assigned

Labels

enhancement Requests to existing resources that expand the functionality or scope. service/iam Issues and PRs that pertain to the iam service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Sanjay3101 @gdavison @ewbankkit @justinretzolk