Terraform-provider-aws: proposal: aws_iam_group_membership optionally only ensures membership, does not remove memberships
Terraform Version
% terraform -v
Terraform v0.9.8
Affected Resource(s)
Terraform Configuration Files
resource "aws_iam_group_membership" "release_manager_dynamo" {
provider = "aws.release_manager_iam"
name = "release-manager-${var.spaceID}-dynamo-membership"
group = "${var.release_manager_iam_group}"
users = ["${aws_iam_user.release_manager.name}"]
}
Expected Behavior
Hi, here is where I will propose what I'd like:
In the example snippet above, with just the one user listed, membership for that user would be ensured but any other members of the group would be left alone. This could be achieved with a new only_present or similar boolean. This would make the resource behave more like, say, heroku_app when it manages config vars.
Actual Behavior
If the group at AWS has users A and B but applying the above config only lists B, A will be removed. If the config above then works out to list A (such as if using a different terraform env), A
would be re-added and B would be removed.
Steps to Reproduce
terraform apply
Important Factoids
We are using a trick sort of described here where using the magic ${aws:username} variable in policies you can create a user which can manage users named eg ${aws:username}-* and can only add them to a group named ${aws:username}. Elsewhere in our terraform config we have an aliased aws provider (release_manager_iam in config above) using credentials which have this ability.
danp
All 5 comments
@danp - I was taking a look at the implementation of this and realized I'm not sure how this works in practice. If I set only_present to true, does this mean it is no longer possible to remove users from the given membership? I guess so, right?
For example, if I have this:
resource "aws_iam_group_membership" "release_manager_dynamo" {
provider = "aws.release_manager_iam"
name = "release-manager-${var.spaceID}-dynamo-membership"
group = "${var.release_manager_iam_group}"
users = ["${aws_iam_user.release_manager.name1}", "${aws_iam_user.release_manager.name2}"]
only_present = true
}
Then change it to this:
resource "aws_iam_group_membership" "release_manager_dynamo" {
provider = "aws.release_manager_iam"
name = "release-manager-${var.spaceID}-dynamo-membership"
group = "${var.release_manager_iam_group}"
users = ["${aws_iam_user.release_manager.name1}"]
only_present = true
}
I guess that would be a no op, right?
Also, I haven't tried it out yet, but I guess under the current implementation, creating this resource exhibits different behavior from updating it because the creation of the resource would only be additive. Is this why you marked it as a bug @Ninir? If so, then should I just change the behavior without adding a new option flag?
artburkart
on 18 Jun 2017
I think this might be a dup of #113 actually
artburkart
on 18 Jun 2017
Right, yeah, with only_present = true aws_iam_group_membership would only ever add users to the group, never remove. So this probably is a dup of https://github.com/terraform-providers/terraform-provider-aws/issues/113. Guessing based on numbering (this issue being 10, that being 113) that I searched before the issue migration from hashicorp/terraform was done. We can merge this into 113.
danp
on 19 Jun 2017
For anyone still lurking on this old issue, you can now non-exclusively manage group membership with the new aws_iam_user_group_membership resource in version 1.17.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading and happy Terraform'ing! 🎉
bflad
on 3 May 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 6 Apr 2020
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
modax
·
3Comments
carmas
·
3Comments
joelittlejohn
·
3Comments
Most helpful comment
Right, yeah, with
only_present = trueaws_iam_group_membershipwould only ever add users to the group, never remove. So this probably is a dup of https://github.com/terraform-providers/terraform-provider-aws/issues/113. Guessing based on numbering (this issue being 10, that being 113) that I searched before the issue migration from hashicorp/terraform was done. We can merge this into 113.