aws iam group and group membership - delete order of operations failure

[keen99]

When trying to delete a group and it's group membership, terraform fails on the first apply because it tries to remove the group, then removes the membership.

The membership must be removed before the group, not the other way around.

A second apply will get the group removed, but that's far from good behavior. :)

aws_iam_group_membership.testgroup2: Refreshing state... (ID: testgroup2-group-membership)
aws_iam_group.testgroup2: Refreshing state... (ID: testgroup2)
aws_iam_group.testgroup2: Destroying...
aws_iam_group_membership.testgroup2: Destroying...
aws_iam_group_membership.testgroup2: Destruction complete
Error applying plan:

1 error(s) occurred:

* aws_iam_group.testgroup2: Error deleting IAM Group testgroup2: DeleteConflict: Cannot delete entity, must remove users from group first.
    status code: 409, request id: [d9c537b9-60a1-11e5-876f-17ed4fb647d7]

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

tf, tfstate, plan, and 2 applies here: https://gist.github.com/keen99/355669346ab19cb9a3e9

running Terraform v0.6.3

[keen99]

apparently this has an intermittent OOO failure on create, too...

Expected process to exit with [0], but received '1'
---- Begin output of ["terraform", "apply"] ----
STDOUT: aws_iam_group_membership.testgroup2: Creating...
  group:            "" => "testgroup2"
  name:             "" => "testgroup2-group-membership"
  users.#:          "" => "1"
  users.3863194986: "" => "stiles"
aws_iam_group.testgroup2: Creating...
  arn:       "" => "<computed>"
  name:      "" => "testgroup2"
  path:      "" => "/"
  unique_id: "" => "<computed>"
aws_iam_group.testgroup2: Creation complete
STDERR: Error applying plan:

1 error(s) occurred:

* aws_iam_group_membership.testgroup2: NoSuchEntity: The group with name testgroup2 cannot be found.
    status code: 404, request id: [ada72635-613d-11e5-b968-83180be162d5]

[paulcdejean]

Steps to reproduce in #3341

[catsby]

Hello – I've been trying to reproduce this issue using the latest Terraform (v0.6.6) and have not been successful. I've used the below config:

provider "aws" {
  region = "us-west-2"
} 

resource "aws_iam_group" "group" {
    name = "test-group"
    path = "/"
}

resource "aws_iam_user" "user" {
    name = "test-user-one"
    path = "/"
}

resource "aws_iam_user" "user_two" {
    name = "test-user-two"
    path = "/"
}

resource "aws_iam_user" "user_three" {
    name = "test-user-three"
    path = "/"
}

resource "aws_iam_group_membership" "team" {
    name = "tf-testing-group-membership"
    users = [
        "${aws_iam_user.user.name}",
        "${aws_iam_user.user_two.name}",
        "${aws_iam_user.user_three.name}",
    ]
    group = "${aws_iam_group.group.name}"
}

If I remove the group and group_membership, each time I execute the plan the membership is destroyed first, then the group (as I would expect).

I'm going to close this for now. If you feel this is not correct or I'm not following what you're describing, please let me know.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.