Merge pull request #1234 from mcwqy9/aws_iam_policy_attachment_warning

Make aws_iam_policy_attachment warning less opaque
hashicorp · Jul 25, 2017 · 3bdc0ef · 3bdc0ef
2 parents cce3fbf + 71892c1
commit 3bdc0ef
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/website/docs/r/iam_policy_attachment.html.markdown b/website/docs/r/iam_policy_attachment.html.markdown
@@ -10,7 +10,7 @@ description: |-
 
 Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
 
-~> **NOTE:** The aws_iam_policy_attachment resource is only meant to be used once for each managed policy. All of the users/roles/groups that a single policy is being attached to should be declared by a single aws_iam_policy_attachment resource.
+!> **WARNING:** The aws_iam_policy_attachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via some mechanism other than Terraform will have that attached policy revoked by Terraform. Consider `aws_iam_role_policy_attachment`, `iam_user_policy_attachment`, or `iam_group_policy_attachment` instead. These resources do not enforce exclusive attachment of an IAM policy. 
 
 ```hcl
 resource "aws_iam_user" "user" {