-
Notifications
You must be signed in to change notification settings - Fork 8
Handle role removal correctly in IAM instance profiles. #5
Conversation
If an aws_iam_instance_profile resource is created with `role` set (vs. `roles`, which is deprecated) then the resulting resource is written to the state file with only `role` populated. An IAM instance profile cannot be deleted as long as there is a role attached. If an attempt is made to delete the instance profile resource without an intervening refresh, the provider will read the (empty) `roles` property, detach no roles, then try to delete the resource. The delete will fail. Note that most users won't see this because apply and plan refresh first, and the code for Get always sets `roles`. These changes consider the value of `role` in `instanceProfileRemoveAllRoles` before considering `roles`. If `role` is populated, the role named therein is removed. The removed role is tracked s.t. if it is also present in `roles` no attempt is made to remove it twice.
Fixes #5. |
Fixes pulumi/pulumi-aws#41, right? |
And also fixes hashicorp/terraform-provider-aws#1777? |
Sort of? It fixes the underlying issue, but I think that issue effectively tracks updating our examples and pulumi/cloud to use
Yes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Would be great if we could add a test for this condition. As I noted in pulumi/pulumi-aws#41, it's not entirely clear why existing tests don't hit this.
It may be that this case is unreachable via terraform
and only reachable via how we invoke Terraform Providers. If so, we should understand that and whether that is something we need to fix more generally.
I am still not following one thing: Are we invoking the Terraform provider "incorrectly"? |
Given my limited understanding of Terraform, I suspect that this is not something that is reachable via the |
That's my question exactly. Or more specifically - why is If we could write a And if it's not observable from
Unfortunately we can't really rely just on documentation - we have to generally support whatever providers assume and do in practice - as our goal is to be compatible with (effectively) all of them. |
I think we might actually be able to write a test for this: IIUC we can set the FWIW, this might actually be observable from |
Never mind; I did not understand correctly. The Terraform tests always perform a |
Luke and I discussed offline what we think the path forward is here. For now, we've decided to take and upstream this change in order to unblock ourselves. We will also separately experiment with performing |
(the latter is tracked by https://github.com/pulumi/pulumi-terraform/issues/57) |
If an aws_iam_instance_profile resource is created with
role
set (vs.roles
, which is deprecated) then the resulting resource is writtento the state file with only
role
populated.An IAM instance profile cannot be deleted as long as there is a role
attached.
If an attempt is made to delete the instance profile resource without an
intervening refresh, the provider will read the (empty)
roles
property,detach no roles, then try to delete the resource. The delete will fail.
Note that most users won't see this because apply and plan refresh first,
and the code for Get always sets
roles
.These changes consider the value of
role
ininstanceProfileRemoveAllRoles
before consideringroles
. Ifrole
ispopulated, the role named therein is removed. The removed role is
tracked s.t. if it is also present in
roles
no attempt is made toremove it twice.