Deleting Policy Attachment for single role remove attachment for all other roles

[gbrahmi]

Terraform Version

$ terraform -v
Terraform v0.11.3
+ provider.aws v1.10.0

Terraform Configuration Files

role_1 deployment:

variable name { default = "demo" }

provider "aws" {
  region = "us-west-2"
}

data "aws_iam_policy_document" "iam_role_1_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"
      ]
    }
  }
}

resource "aws_iam_role" "iam_role_1" {
  name = "${var.name}-role_1"
  assume_role_policy = "${data.aws_iam_policy_document.iam_role_1_policy.json}"
}

resource "aws_iam_policy_attachment" "iam_role_1_policy" {
  name       = "${var.name}-role_1"
  roles      = ["${aws_iam_role.iam_role_1.name}"]
  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
}

role_2 deployment:

variable name { default = "demo" }

provider "aws" {
  region = "us-west-2"
}

data "aws_iam_policy_document" "iam_role_2_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"
      ]
    }
  }
}

resource "aws_iam_role" "iam_role_2" {
  name = "${var.name}-role_2"
  assume_role_policy = "${data.aws_iam_policy_document.iam_role_2_policy.json}"
}

resource "aws_iam_policy_attachment" "iam_role_2_policy" {
  name       = "${var.name}-role_2"
  roles      = ["${aws_iam_role.iam_role_2.name}"]
  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
}

Expected Behavior

Terrraform should only be able to manage the resources which are created by it. It should not change, delete, or remove any policy attachment for resources which are created outside terraform or managed by another terraform instance.

Actual Behavior

Terraform is actually removing the policy attachment for a role which is created outside terraform. In my case to reproduce the problem I've created two separate terraform deployments and deployed them separately.

The two deployments are role_1 and role_2 which have a managed policy attachment.

After I deploy role_1 and role_2, when I go back and destroy role_2 it goes out and removes the policy attachment for role_1 as well.

Steps to Reproduce

1. For role_1 in a separate terraform deployment:

   terraform init
   terraform apply
   

2. For role_2 in a separate terraform deployment:

   terraform init
   terraform apply
   

3. Now destroy the role_2 deployment.

   Be care while doing this, since it will go out and remove the attached policy from every role in the account. We used Kinesis in our case since we are not using it anywhere in our deployment/account.

   terraform destroy
   

4. Check the policy attachment for role_1. It will no longer have the Managed Policy attached to role_1 anymore.

Additional Context

References

[ghost]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#3555 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#3555.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.