Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lambda IAM Policies Detaching from created IAM Role when Input Order is Changed #629

Closed
1 task done
tammyisaninja opened this issue Oct 11, 2024 · 3 comments
Closed
1 task done

Lambda IAM Policies Detaching from created IAM Role when Input Order is Changed #629

tammyisaninja opened this issue Oct 11, 2024 · 3 comments

Comments

@tammyisaninja
Copy link

Description

Swapping the order of policies will result in the policies being detached

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: 7.13.0

  • Terraform version:
    1.8.3

  • Provider version(s):
    AWS Provider (hashicorp/aws) Version: 5.71.0
    External Provider (hashicorp/external) Version: 2.3.4
    Local Provider (hashicorp/local) Version: 2.5.2
    Null Provider (hashicorp/null) Version: 3.2.3

Reproduction Code [Required]

module "test" {
  source = "terraform-aws-modules/lambda/aws"

  function_name = "test-function"
  description   = "Lambda function testing"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  architectures = ["arm64"]
  timeout       = 120
  publish       = true

  // Add all files needed
  source_path = [
    "/Users/<user>/workspace/testing/index.ts"
  ]

  // Add IAM policies to role
  role_name          = "test"
  attach_policies    = true
  number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
  ]
}

Steps to reproduce the behavior:

  1. Run terraform apply on the above code into your aws account
  2. All IAM policies are applied successfully
image 3. Swap the policies order, now the VPC access policy is above, lambda insight policy is below 
number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
]
  1. Run terraform apply again. Plan is as follows:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.test.aws_iam_role_policy_attachment.additional_many[0] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122755971000000001" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" -> "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.test.aws_iam_role_policy_attachment.additional_many[1] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122756169000000002" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" -> "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" # forces replacement
        # (1 unchanged attribute hidden)
    }

Expected behavior

No change to the policy, nothing should happen.

Actual behavior

The policies that have been swapped are removed from the role, however the terraform apply is successful.
image

Issues:

  1. Swapping the policies should not cause removal of them from the IAM role
  2. It should not show success

See reasoning below

Terminal Output Screenshot(s)

This is because the creation happens before deletion
image
@tammyisaninja tammyisaninja mentioned this issue Oct 11, 2024
Closed
3 tasks
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Nov 11, 2024
@github-actions GitHub Actions
Copy link

This issue was automatically closed because of stale in 10 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 21, 2024
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@tammyisaninja