Terraform-provider-aws: data store "aws_iam_policy" can't get the policy arn

Created on 12 Oct 2018  ·  4Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.11.8
+ provider.aws v1.40.0

Affected Resource(s)

data sources

  • aws_iam_policy

Terraform Configuration Files

data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" {
  arn = "arn:aws:iam::aws:policy/AWSLambdaVPCAccessExecutionRole"
}

data "aws_iam_policy" "ReadOnlyAccess" {
  arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Debug Output

$ terraform apply -auto-approve
data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refreshing state...
data.aws_iam_policy.ReadOnlyAccess: Refreshing state...
data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Panic Output

Check terraform.tfstate

{
    "version": 3,
    "terraform_version": "0.11.8",
    "serial": 1,
    "lineage": "eccadf69-37e7-586c-10b8-afd2f4c0b04d",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
                "data.aws_iam_policy.ReadOnlyAccess": {
                    "type": "aws_iam_policy",
                    "depends_on": [],
                    "primary": {
                        "id": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                        "attributes": {
                            "arn": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                            "description": "Provides read-only access to AWS services and resources.",
                            "id": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                            "name": "ReadOnlyAccess",
                            "path": "/",
                            "policy": "........",
                        },
                        "meta": {},
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                }
            },
            "depends_on": []
        }
    ]
}

Expected Behavior

I should see the ARN for AWS manged policy AWSLambdaVPCAccessExecutionRole as well.

Actual Behavior

I only see the ARN for AWS manged policy ReadOnlyAccess

Steps to Reproduce

So if I try to usedata.aws_iam_policy.AWSLambdaVPCAccessExecutionRole,

resource "aws_iam_role_policy_attachment" "lambda" {
  role       = "${aws_iam_role.lambda.name}"
  policy_arn = "${data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole.arn}"
}

I got below error:

* aws_iam_role_policy_attachment.lambda: Resource 'data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole' not found for variable 'data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole.arn'
bug serviciam
Source
picture ozbillwang
👍2

Most helpful comment

AWS has a few different resource paths for their managed policies:

  • arn:aws:iam::aws:policy/NAME
  • arn:aws:iam::aws:policy/role/NAME
  • arn:aws:iam::aws:policy/service-role/NAME

It does look like we are incorrectly not returning an error in the data source when its not found, so I'll file this as a bug in that regard.

We do have a feature request for aws_iam_policy data source lookup by name (https://github.com/terraform-providers/terraform-provider-aws/issues/6072) with an initial pull request (https://github.com/terraform-providers/terraform-provider-aws/pull/6084). Feel free to upvote those and hopefully we can come up with a solution to make this lookup a little easier. 👍

picture bflad on 12 Oct 2018
👍3

All 4 comments

Seems this managed policy AWSLambdaVPCAccessExecutionRole is the problem.

If compare with other managed policies, it has extra service-role in its arn.

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/ReadOnlyAccess

ozbillwang picture ozbillwang on 12 Oct 2018

AWS has a few different resource paths for their managed policies:

  • arn:aws:iam::aws:policy/NAME
  • arn:aws:iam::aws:policy/role/NAME
  • arn:aws:iam::aws:policy/service-role/NAME

It does look like we are incorrectly not returning an error in the data source when its not found, so I'll file this as a bug in that regard.

We do have a feature request for aws_iam_policy data source lookup by name (https://github.com/terraform-providers/terraform-provider-aws/issues/6072) with an initial pull request (https://github.com/terraform-providers/terraform-provider-aws/pull/6084). Feel free to upvote those and hopefully we can come up with a solution to make this lookup a little easier. 👍

bflad picture bflad on 12 Oct 2018
👍3

@bflad

If the data store aws_iam_policy can accept Argument with name and know how to deal with different type of policies (normal, role, service-role), that will be better solution.

Normally, I prefer to use data store to get ARN from its Name.

Sure, I will upvote that PR

ozbillwang picture ozbillwang on 12 Oct 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 2 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

joelittlejohn picture joelittlejohn  ·  3Comments
carmas picture carmas  ·  3Comments
hashibot picture hashibot  ·  3Comments
hazmeister picture hazmeister  ·  3Comments
ccslamstack picture ccslamstack  ·  3Comments