Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data store "aws_iam_policy" can't get the policy arn #6132

Closed
ozbillwang opened this issue Oct 12, 2018 · 4 comments
Closed

data store "aws_iam_policy" can't get the policy arn #6132

ozbillwang opened this issue Oct 12, 2018 · 4 comments
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.

Comments

@ozbillwang
Copy link

ozbillwang commented Oct 12, 2018
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.11.8
+ provider.aws v1.40.0

Affected Resource(s)

data sources

  • aws_iam_policy

Terraform Configuration Files

data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" {
  arn = "arn:aws:iam::aws:policy/AWSLambdaVPCAccessExecutionRole"
}

data "aws_iam_policy" "ReadOnlyAccess" {
  arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

Debug Output

$ terraform apply -auto-approve
data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refreshing state...
data.aws_iam_policy.ReadOnlyAccess: Refreshing state...
data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Panic Output

Check terraform.tfstate

{
    "version": 3,
    "terraform_version": "0.11.8",
    "serial": 1,
    "lineage": "eccadf69-37e7-586c-10b8-afd2f4c0b04d",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
                "data.aws_iam_policy.ReadOnlyAccess": {
                    "type": "aws_iam_policy",
                    "depends_on": [],
                    "primary": {
                        "id": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                        "attributes": {
                            "arn": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                            "description": "Provides read-only access to AWS services and resources.",
                            "id": "arn:aws:iam::aws:policy/ReadOnlyAccess",
                            "name": "ReadOnlyAccess",
                            "path": "/",
                            "policy": "........",
                        },
                        "meta": {},
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                }
            },
            "depends_on": []
        }
    ]
}

Expected Behavior

I should see the ARN for AWS manged policy AWSLambdaVPCAccessExecutionRole as well.

Actual Behavior

I only see the ARN for AWS manged policy ReadOnlyAccess

Steps to Reproduce

So if I try to usedata.aws_iam_policy.AWSLambdaVPCAccessExecutionRole,

resource "aws_iam_role_policy_attachment" "lambda" {
  role       = "${aws_iam_role.lambda.name}"
  policy_arn = "${data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole.arn}"
}

I got below error:

* aws_iam_role_policy_attachment.lambda: Resource 'data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole' not found for variable 'data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole.arn'
@ozbillwang
Copy link
Author

ozbillwang commented Oct 12, 2018
edited
Loading

Seems this managed policy AWSLambdaVPCAccessExecutionRole is the problem.

If compare with other managed policies, it has extra service-role in its arn.

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/ReadOnlyAccess

@bflad
Copy link
Contributor

bflad commented Oct 12, 2018

AWS has a few different resource paths for their managed policies:

  • arn:aws:iam::aws:policy/NAME
  • arn:aws:iam::aws:policy/role/NAME
  • arn:aws:iam::aws:policy/service-role/NAME

It does look like we are incorrectly not returning an error in the data source when its not found, so I'll file this as a bug in that regard.

We do have a feature request for aws_iam_policy data source lookup by name (#6072) with an initial pull request (#6084). Feel free to upvote those and hopefully we can come up with a solution to make this lookup a little easier. 👍

@bflad bflad added bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. labels Oct 12, 2018
@ozbillwang
Copy link
Author

ozbillwang commented Oct 12, 2018
edited
Loading

@bflad

If the data store aws_iam_policy can accept Argument with name and know how to deal with different type of policies (normal, role, service-role), that will be better solution.

Normally, I prefer to use data store to get ARN from its Name.

Sure, I will upvote that PR

@ghost
Copy link

ghost commented Apr 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bflad @ozbillwang