Terraform-provider-aws: provider/aws : IAM policy attachment/detach bug ?
_This issue was originally opened by @saswatp as hashicorp/terraform#6045. It was migrated here as part of the provider split. The original body of the issue is below._
I have a AWS policy ARN and and I am attaching a role to that policy. Since the policy is a global policy (arn:aws:iam::aws:policy/AmazonS3FullAccess) , there are some other users also associated with that policy ( not through terraform) . In my plan and apply , I am not explicitly attaching a particular user.
When I detach the role from policy , terraform detaches users associated with that policy. So ,the bug is we don't explicitly attach users to a policy , however when we detach a role from policy we also detach users that we didn't attach in the first place. I tried to hack around by providing a null value for user , assuming that when I detach , it won't detach other users as the user I am associating is null. That failed as a "" user can't be attached in the first place.(doesnt exist)
Detaching an IAM policy detaches users attached to that policy
resource "aws_iam_policy_attachment" "management-host-policy-attach" {
name = "${var.service}-management-attachment"
roles = ["${aws_iam_role.management-instance-role.name}"]
//users = ["${var.iam_users}"]
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
lifecycle { create_before_destroy = true }
}
terraform version
Terraform v0.6.15-dev (b20f680cbf0505825e6ae173c5986243683d8eb3)
hashibot
All 4 comments
⚠️ ⚠️ ⚠️ ❗️ PSA:
Terraform removes attachments that are not terraform-managed, this is hugely disruptive and downright dangerous to use in a live environment. Folks should probably stick with using aws_iam_role_policy_attachment instead of aws_iam_policy_attachment
foragerr
on 22 Jun 2017
aws_iam_policy_attachment as it is implemented today is insanely dangerous and should be either fixed to not touch attachments it never knew about or removed from terraform.
garbelini
on 28 Jun 2017
For those finding this old issue which I'm going to close out now, we updated the resource documentation to very obviously display a big red warning message at the top. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html
WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via some mechanism other than Terraform will have that attached policy revoked by Terraform. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead. These resources do not enforce exclusive attachment of an IAM policy.
In almost all cases we tend to highly recommend using the separate aws_iam_group_policy_attachment, aws_iam_role_policy_attachment, and aws_iam_user_policy_attachment resources.
bflad
on 3 May 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 6 Apr 2020
Related issues
gothrek22
·
3Comments
blaltarriba
·
3Comments
ccslamstack
·
3Comments
hashibot
·
3Comments
modax
·
3Comments
Most helpful comment
⚠️ ⚠️ ⚠️ ❗️ PSA:
Terraform removes attachments that are not terraform-managed, this is hugely disruptive and downright dangerous to use in a live environment. Folks should probably stick with using
aws_iam_role_policy_attachmentinstead ofaws_iam_policy_attachment