Terraform-provider-aws: destroying aws_iam_policy_attachment to a managed policy deletes everyone's attachments

_This issue was originally opened by @slowbluecamera as hashicorp/terraform#5483. It was migrated here as part of the provider split. The original body of the issue is below._

If you use the "aws_iam_policy_attachment" resource to attach a role to a managed_policy, when you destroy the configuration, it will remove attachments made by other configurations, or even manually setup attachments.

In the example configurations below, configuration "plan_one.tf" sets up an attachment to the "AWSLambdaBasicExecutionRole" managed policy. The configuration "plan_two.tf" also sets up a similar attachment. If you apply both configurations, and then delete one, you'll find that both attachments have bene removed.

Also, if you have set up role attachments to the managed policy by other scripts, or manually, then you will find that those attachments have been removed (which is how we discovered it! :-( ).

Have reproduced this in terraform-0.6.12 on OSX.

(This is my first issue reported to the terraform project. I've reviewed submitting guidelines and tried to be complete, but I'd like this issue to be as useful as possible. So if there is any additional information needed or changes in style that would be helpful, please don't hesitate to let me know. Thanks!)

Workarounds:

• don't use managed policies in terraform configurations
• (haven't tried this) use IAM to permissions to prevent terraform from deleting attachments it hasn't set up, and then make sure your terraform configurations don't use the same managed policies.

Steps to reproduce:

  one/
     plan_one.tf
     variables.tf
  two/
     plan_two.tf
     variables.tf

1. create two configurations as above directories (using the file contents below).
2. set environment variables as appropriate
   export TF_VAR_access_key=_AWS ACCESS KEY_
   export TF_VAR_secret_key=_AWS SECRET KEY_
3. "cd one; terraform apply" to create config one
4. "cd two; terraform apply" to create config two
5. "cd one; terraform destroy" to destroy config one
6. "cd two; terraform plan" to see if config two is still complete

Notice that the policy attachment in plan_two.tf is no longer there.

plan_one.tf

provider "aws" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region = "${var.region}"
}

# Configure security settings for Lambda
resource "aws_iam_role" "lambda_exec_role" {
  name = "PlanOneLambdaExecRole"
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

# Attach role to Managed Policy
resource "aws_iam_policy_attachment" "test_attach" {
  name = "PlanOneLambdaExecPolicy"
  roles = ["${aws_iam_role.lambda_exec_role.id}"]
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

two/plan_two.tf

provider "aws" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region = "${var.region}"
}

# Configure security settings for Lambda
resource "aws_iam_role" "lambda_exec_role" {
  name = "PlanTwoLambdaExecRole"
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

# Attach role to Managed Policy
resource "aws_iam_policy_attachment" "test_attach" {
  name = "PlanTwoLambdaExecPolicy"
  roles = ["${aws_iam_role.lambda_exec_role.id}"]
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

variables.tf (identical in both configurations)

# to set aws key env variables
variable "access_key" {}
variable "secret_key" {}

variable "region" {
  default = "us-east-1"
}