Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deleting Policy Attachment for single role remove attachment for all other roles #3555

Closed
ghost opened this issue Feb 28, 2018 · 4 comments
Closed

Deleting Policy Attachment for single role remove attachment for all other roles #3555

ghost opened this issue Feb 28, 2018 · 4 comments
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.

Comments

@ghost
Copy link

ghost commented Feb 28, 2018

This issue was originally opened by @gbrahmi as hashicorp/terraform#17455. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

$ terraform -v
Terraform v0.11.3
+ provider.aws v1.10.0

Terraform Configuration Files

role_1 deployment:

variable name { default = "demo" }

provider "aws" {
  region = "us-west-2"
}

data "aws_iam_policy_document" "iam_role_1_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"
      ]
    }
  }
}

resource "aws_iam_role" "iam_role_1" {
  name = "${var.name}-role_1"
  assume_role_policy = "${data.aws_iam_policy_document.iam_role_1_policy.json}"
}

resource "aws_iam_policy_attachment" "iam_role_1_policy" {
  name       = "${var.name}-role_1"
  roles      = ["${aws_iam_role.iam_role_1.name}"]
  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
}

role_2 deployment:

variable name { default = "demo" }

provider "aws" {
  region = "us-west-2"
}

data "aws_iam_policy_document" "iam_role_2_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"
      ]
    }
  }
}

resource "aws_iam_role" "iam_role_2" {
  name = "${var.name}-role_2"
  assume_role_policy = "${data.aws_iam_policy_document.iam_role_2_policy.json}"
}

resource "aws_iam_policy_attachment" "iam_role_2_policy" {
  name       = "${var.name}-role_2"
  roles      = ["${aws_iam_role.iam_role_2.name}"]
  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
}

Expected Behavior

Terrraform should only be able to manage the resources which are created by it. It should not change, delete, or remove any policy attachment for resources which are created outside terraform or managed by another terraform instance.

Actual Behavior

Terraform is actually removing the policy attachment for a role which is created outside terraform. In my case to reproduce the problem I've created two separate terraform deployments and deployed them separately.

The two deployments are role_1 and role_2 which have a managed policy attachment.

After I deploy role_1 and role_2, when I go back and destroy role_2 it goes out and removes the policy attachment for role_1 as well.

Steps to Reproduce

  1. For role_1 in a separate terraform deployment:

    terraform init
terraform apply

  2. For role_2 in a separate terraform deployment:

    terraform init
terraform apply

  3. Now destroy the role_2 deployment.

    Be care while doing this, since it will go out and remove the attached policy from every role in the account. We used Kinesis in our case since we are not using it anywhere in our deployment/account.

    terraform destroy

  4. Check the policy attachment for role_1. It will no longer have the Managed Policy attached to role_1 anymore.

Additional Context

References
@ghost ghost mentioned this issue Feb 28, 2018
Closed
@radeksimko radeksimko added bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. labels Feb 28, 2018
@gbrahmi
Copy link

gbrahmi commented Mar 1, 2018

Turns out this was a problem with the resource aws_iam_policy_attachment which was creating an exclusive attachment on the policy. Deletion of the resource caused the policy to be revoked from all the other non terraform controlled roles/users/groups well.

The problem was fixed using aws_iam_role_policy_attachment.

@bflad
Copy link
Contributor

bflad commented Mar 1, 2018

@gbrahmi thanks for the followup and sorry you got tripped up by that. Is there any way we can improve the documentation? I'm going to close this issue just to keep the repository clean (since I know you can't due to the bot moving it), but don't hesitate to reply back with any recommendations and we can reopen if necessary.

@bflad bflad closed this as completed Mar 1, 2018
@yoyoware
Copy link

yoyoware commented Sep 27, 2018
edited
Loading

I have 4 suggestions

suggestion #1
change the title description of the aws_iam_policy_attachment description
from: Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
to: Attaches a Managed IAM Policy to all user(s), role(s), and/or group(s) regardless being created by Terraform or not

https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html

suggestion #2
to be consistent with the warning you placed in the aws_iam_policy_attachment page
https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html

I also suggest you change the title description of these 3 help pages to indicate they are just for specified user(s), role(s), group(s) indicated and does not apply to all
https://www.terraform.io/docs/providers/aws/r/iam_user_policy_attachment.html
https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html
https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html

suggestion #3
add cross reference links between all 4 pages, this would have likely reduced my debug time from 4 hours to 30 minutes
https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html
https://www.terraform.io/docs/providers/aws/r/iam_user_policy_attachment.html
https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html
https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html

suggestion #4
since aws_iam_policy_attachment is intended to apply to all IAM users then terraform should really error out when the aws_iam_group_membership is adding users to a aws_iam_group which has a policy of aws_iam_policy_attachment, such as in this example:

resource "aws_iam_group" "administrators" {
name = "administrators"
}
resource "aws_iam_policy_attachment" "administrators-attach" {
name = "administrators-attach"
groups = ["${aws_iam_group.administrators.name}"]
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

resource "aws_iam_user" "admin1" {
name = "admin1"
}
resource "aws_iam_user" "admin2" {
name = "admin2"
}
resource "aws_iam_group_membership" "administrators-users" {
name = "administrators-users"
users = [
"${aws_iam_user.admin1.name}",
"${aws_iam_user.admin2.name}",
]
group = "${aws_iam_group.administrators.name}"
}

@ghost
Copy link
Author

ghost commented Apr 3, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bflad @radeksimko @yoyoware @gbrahmi