You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a role, created into terraform and use the aws_iam_policy_attachment resource to attach a non-terraformed policy to the role. In our case it is an AWS role, but it applies to any policy. We also have another role, created manually that has that policy attached too.
We expected that when we run terraform destroy that is will detach our terraform created role from the policy and leave the manually created role untouched.
Actual Behavior
terraform destroy unlinks the policy from all roles is attached to, not just the ones under terraform's control.
eg:
Terraform will perform the following actions:
# aws_iam_policy_attachment.aws_policy_attachments will be destroyed
- resource "aws_iam_policy_attachment" "aws_policy_attachments" {
- groups = [] -> null
- id = "tf_test_attachments" -> null
- name = "tf_test_attachments" -> null
- policy_arn = "arn:aws:iam::0123456789012:policy/TF_Test" -> null
- roles = [
- "TF_Test_Manual",
- "tf_test_auto",
] -> null
- users = [] -> null
}
Notice that it is stripping all of attached roles, not just the ones under terraform's control.
Steps to Reproduce
Create 'TF_Test' policy (any settings)
Create 'tf_test_manual' role
Attach 'TF_Test' policy to 'tf_test_manual' role
terraform init
terraform apply
terraform destroy
The text was updated successfully, but these errors were encountered:
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
ghost
locked and limited conversation to collaborators
Nov 10, 2019
This issue was closed.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Debug Output
https://gist.github.com/Richard-Payne/80154244c7abcee7d5cb6e1cbf8a7296
Configuration
Expected Behavior
We have a role, created into terraform and use the aws_iam_policy_attachment resource to attach a non-terraformed policy to the role. In our case it is an AWS role, but it applies to any policy. We also have another role, created manually that has that policy attached too.
We expected that when we run terraform destroy that is will detach our terraform created role from the policy and leave the manually created role untouched.
Actual Behavior
terraform destroy unlinks the policy from all roles is attached to, not just the ones under terraform's control.
eg:
Notice that it is stripping all of attached roles, not just the ones under terraform's control.
Steps to Reproduce
terraform init
terraform apply
terraform destroy
The text was updated successfully, but these errors were encountered: