bug with aws_iam_role resource

[karnauskas]

Terraform v0.13.1
aws-provider: v3.4.0

Sample code:

resource "aws_iam_role" "jb" {
  assume_role_policy = data.aws_iam_policy_document.jb.json
  name_prefix  = var.prefix
  path = "/aws/ec2/"
}

After changing path got this error:

Error: Provider produced inconsistent final plan

When expanding the plan for module.iam.aws_iam_role.jb to include new values
learned so far during apply, provider "registry.terraform.io/hashicorp/aws"
changed the planned action from CreateThenDelete to DeleteThenCreate.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

[karnauskas]

I think found working solution. Adding lifecycle block helped.

  lifecycle {
    create_before_destroy = true
  }

However, will leave this open since Terraform told me to report it.

[bflad]

Hi @karnauskas 👋 Thank you for reporting this and sorry you ran into trouble here. There is indeed some sort of bug within Terraform, but oddly enough it is outside of the Terraform AWS Provider's control since Terraform core is wholly what handles create_before_destroy behaviors. We would love to fix the underlying issue though and could use some help trying to reproduce what you are seeing.

Can you please share a little more of your configuration setup here (redacting anything as necessary)? I'm unable to reproduce this with a simple test configuration and changing the path:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.5.0"
    }
  }

  required_version = "0.13.2"
}

provider "aws" {
  region = "us-east-1"
}

variable "name_prefix" {
  default = "15048-reproduction-test"
  type    = string
}

data "aws_iam_policy_document" "test" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["s3.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "test" {
  assume_role_policy = data.aws_iam_policy_document.test.json
  name_prefix        = var.name_prefix
  path               = "/path1/"
}

$ terraform0.13.2 apply
data.aws_iam_policy_document.test: Refreshing state... [id=4003806384]
aws_iam_role.test: Refreshing state... [id=15048-reproduction-test20200908124341259000000001]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_iam_role.test must be replaced
-/+ resource "aws_iam_role" "test" {
      ~ arn                   = "arn:aws:iam::--OMITTED--:role/path1/15048-reproduction-test20200908124341259000000001" -> (known after apply)
      ~ assume_role_policy    = jsonencode( # whitespace changes
            {
                Statement = [
                    {
                        Action    = "sts:AssumeRole"
                        Effect    = "Allow"
                        Principal = {
                            Service = "s3.amazonaws.com"
                        }
                        Sid       = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
      ~ create_date           = "2020-09-08T12:43:41Z" -> (known after apply)
        force_detach_policies = false
      ~ id                    = "15048-reproduction-test20200908124341259000000001" -> (known after apply)
        max_session_duration  = 3600
      ~ name                  = "15048-reproduction-test20200908124341259000000001" -> (known after apply)
        name_prefix           = "15048-reproduction-test"
      ~ path                  = "/path1/" -> "/path2/" # forces replacement
      - tags                  = {} -> null
      ~ unique_id             = "--OMITTED--" -> (known after apply)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_iam_role.test: Destroying... [id=15048-reproduction-test20200908124341259000000001]
aws_iam_role.test: Destruction complete after 0s
aws_iam_role.test: Creating...
aws_iam_role.test: Creation complete after 0s [id=15048-reproduction-test20200908124527938900000001]

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

[karnauskas]

Reproduce... that's kinda tricky. I had this configuration/stack over more than 3 years now. It has seen many versions of Terraform, however said resource wasn't changed. One thing which I found was inline/other policy(ies) attached to role, and this was not defined in Terraform.

[grahamhar]

I've just hit this exact problem in terraform 0.13.1 but with an earlier provider 2.60.0

I have a role originally defined as below and created with terraform 0.12.x and provider 2.60.0

resource "aws_iam_role" "sns_log_failures" {
  name = "${terraform.workspace}-${var.topic_name}-failure"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

  tags = local.common_tags
}

I changed the name atrribute of the resources (Unrelated reason for change, a workspace was created which meant this name exceeded the limit so)

resource "aws_iam_role" "sns_log_failures" {
  name = "${terraform.workspace}-${var.topic_name}-fail"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

  tags = local.common_tags
}

This resulted in a clean plan saying change expected, but on apply:

When expanding the plan for
module.delivered_email.aws_iam_role.sns_log_failures to include new values
learned so far during apply, provider "registry.terraform.io/hashicorp/aws"
changed the planned action from CreateThenDelete to DeleteThenCreate.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

This was embedded in a module (private) by the way and only caused issues in some usage not all.

Adding the lifecycle to the resource fixed this but it feels wrong for me to have to define this just so I can change an attribute, I have several hundred iam_roles in my terraform config so if I need to do this everywhere not ideal.
Let me know if I can provide any more help or information.

[bflad]

Hi @karnauskas 👋 Thank you for reporting this and sorry you ran into trouble here. With the given error message, I believe this was fixed upstream in Terraform CLI by hashicorp/terraform#26192, which was released in Terraform 0.13.3. If you are still running into this same error after upgrading Terraform CLI itself, please open an issue upstream in https://github.com/hashicorp/terraform/issues since the changed the planned action from CreateThenDelete to DeleteThenCreate error cannot be fixed in Terraform Providers (see referenced pull request for more details).

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!