Skip to content

Lambda IAM Policies Detaching from created IAM Role when Input Order is Changed #629

New issue
New issue
Closed as not planned
Closed as not planned
Lambda IAM Policies Detaching from created IAM Role when Input Order is Changed#629
@tammyisaninja

Description

@tammyisaninja
tammyisaninja
opened on Oct 11, 2024

Description

Swapping the order of policies will result in the policies being detached

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: 7.13.0

  • Terraform version:
    1.8.3

  • Provider version(s):
    AWS Provider (hashicorp/aws) Version: 5.71.0
    External Provider (hashicorp/external) Version: 2.3.4
    Local Provider (hashicorp/local) Version: 2.5.2
    Null Provider (hashicorp/null) Version: 3.2.3

Reproduction Code [Required]

module "test" {
  source = "terraform-aws-modules/lambda/aws"

  function_name = "test-function"
  description   = "Lambda function testing"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  architectures = ["arm64"]
  timeout       = 120
  publish       = true

  // Add all files needed
  source_path = [
    "/Users/<user>/workspace/testing/index.ts"
  ]

  // Add IAM policies to role
  role_name          = "test"
  attach_policies    = true
  number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
  ]
}

Steps to reproduce the behavior:

  1. Run terraform apply on the above code into your aws account
  2. All IAM policies are applied successfully
image 3. Swap the policies order, now the VPC access policy is above, lambda insight policy is below 
number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
]
  1. Run terraform apply again. Plan is as follows:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.test.aws_iam_role_policy_attachment.additional_many[0] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122755971000000001" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" -> "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.test.aws_iam_role_policy_attachment.additional_many[1] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122756169000000002" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" -> "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" # forces replacement
        # (1 unchanged attribute hidden)
    }

Expected behavior

No change to the policy, nothing should happen.

Actual behavior

The policies that have been swapped are removed from the role, however the terraform apply is successful.
image

Issues:

  1. Swapping the policies should not cause removal of them from the IAM role
  2. It should not show success

See reasoning below

Terminal Output Screenshot(s)

This is because the creation happens before deletion
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions