Destroying a terraform created role attached to an AWS standard policy, removes all roles attached to that policy

[Richard-Payne]

Terraform v0.12.8
+ provider.aws v2.31.0
+ provider.null v2.1.2

Debug Output

https://gist.github.com/Richard-Payne/80154244c7abcee7d5cb6e1cbf8a7296

Configuration

provider "aws" {
  region  = "eu-west-2"
  profile = "shared"
}

resource "aws_iam_policy_attachment" "aws_policy_attachments" {
  depends_on = [ aws_iam_role.roles ]
  name       = "tf_test_attachments"
  roles      = [ "tf_test_auto" ]
  policy_arn = "arn:aws:iam::0123456789012:policy/TF_Test"
}

resource "aws_iam_role" "roles" {
  name               = "tf_test_auto"
  assume_role_policy = local.assume_role_policy
  tags = {
    "created_by" = "terraform"
  }
}

locals {
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

Expected Behavior

We have a role, created into terraform and use the aws_iam_policy_attachment resource to attach a non-terraformed policy to the role. In our case it is an AWS role, but it applies to any policy. We also have another role, created manually that has that policy attached too.

We expected that when we run terraform destroy that is will detach our terraform created role from the policy and leave the manually created role untouched.

Actual Behavior

terraform destroy unlinks the policy from all roles is attached to, not just the ones under terraform's control.

eg:

Terraform will perform the following actions:

  # aws_iam_policy_attachment.aws_policy_attachments will be destroyed
  - resource "aws_iam_policy_attachment" "aws_policy_attachments" {
      - groups     = [] -> null
      - id         = "tf_test_attachments" -> null
      - name       = "tf_test_attachments" -> null
      - policy_arn = "arn:aws:iam::0123456789012:policy/TF_Test" -> null
      - roles      = [
          - "TF_Test_Manual",
          - "tf_test_auto",
        ] -> null
      - users      = [] -> null
    }

Notice that it is stripping all of attached roles, not just the ones under terraform's control.

Steps to Reproduce

1. Create 'TF_Test' policy (any settings)
2. Create 'tf_test_manual' role
3. Attach 'TF_Test' policy to 'tf_test_manual' role
4. terraform init
5. terraform apply
6. terraform destroy

[ghost]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#10459 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#10459.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.