Modifying AWS IAM user name deletes state

[hashibot]

This issue was originally opened by @alvin-huang as hashicorp/terraform#16646. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

v0.10.8

Terraform Configuration Files

main.tf

variable "aws_region" {}
variable "my_user" {}

provider "aws" {
  region = "${var.aws_region}"
}

resource "aws_iam_user" "myuser" {
  name = "${var.my_user}"
  path = "/"
}

createuser.tfvars

aws_region  = "us-east-1"
my_user = "createuser"

modifyuser.tfvars

aws_region  = "us-east-1"
my_user = "modifyuser"

Expected Behavior

The createuser AWS user should be renamed to modifyuser and the state file should reflect this change.

Debug

https://gist.github.com/alvin-huang/e07b5e15b5837401b811db1acff84435

Actual Behavior

The AWS user does get renamed but the terraform state file is empty.

Steps to Reproduce

1. terraform init
2. terraform apply -var-file=createuser.tfvars to create the createuser user
3. terraform show to show createuser is in created and in the state file
4. terraform apply -var-file=modifyuser.tfvars to change the name of createuser to modifyuser
5. terraform show shows an empty state file

Important Factoids

I see the same issue with a local state file and remote backend (S3).

References

#213
hashicorp/terraform#3227

If this should go in https://github.com/terraform-providers/terraform-provider-aws let me know and I can move it over there or hashibot will take care of it :)

[jbardin]

It looks like aws_iam_user uses the name field as the id, except that the name field is modifiable 😮

The example above updates the name field, but then when the user is re-read the "id" no longer exists because the name was changed, and the resource is deleted from the state.

[loivis]

There is an attribute as unique_id. It could potentially be used as Id(), as mentioned in current codes.

https://github.com/terraform-providers/terraform-provider-aws/blob/dddc588b53d0de7421040313d2ec7d54ca55bd4a/aws/resource_aws_iam_user.go#L30-L41

[bflad]

Hello, everyone! There are currently 3 open PRs for this issue:

• resource/aws_iam_user: Set UserId as Id() instead of UserName #2798 (changes the resource ID to IAM's unique ID)
• resource/aws_iam_user: Fix issues with update #2940 (changes the resource ID to the new username after update and allows path updates)
• resource/aws_iam_user: Name change requires id to be reset #2979 (changes the resource ID to the new username after update and adds a test)

I believe for longterm maintainability we may want to switch the aws_iam_user id attribute (the resource ID) to IAM's unique ID, which is the stable identifier, although there are some challenges switching this:

• It is likely there is a lot of usage for aws_iam_user.X.id in downstream resources like IAM policies (from my personal experience anyways), which means changing the attribute could be seen as a "large" change in many environments since they will switch from "friendly" user names to the "less friendly" AID... unique IDs, even if the net outcome is the same in the end (the same user has the same permissions)
• AWS IAM API currently prefers the user name (addressed decently in resource/aws_iam_user: Set UserId as Id() instead of UserName #2798 already)
• We would need to migrate everyone's existing state from the name id to the new unique ID id
• Import would either need to change to the unique ID or additional logic needs to be put in place to allow importing by name again

Given the above, I think we'll prefer to bring in the "quick" fixes of #2940 and #2979 for our bugfix v1.7.1 release coming out shortly (hopefully this week), and leave the longer #2798 change to potentially a later release.

Please leave any feedback or reach out with any questions. I'll be commenting in each of the existing PRs.

[bflad]

FYI the first round of "quick" fixes has been released in terraform-provider-aws version 1.7.1. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ebarault]

excellent, thank you ! 👍

[ebarault]

@bflad : it seems the same bug is affecting the aws_iam_group ressource. See: #620

Do you think it's doable to backport a fix similar to the one applied here ?

[bflad]

@ebarault make sense since they were written similarly. Its certainly doable to do the "easy" part we implemented here and call d.SetId() again for aws_iam_group on update. Unfortunately, I don't really have time right now to implement this myself along with the acceptance testing.

[bflad]

While the aws_iam_user resource fix was released awhile ago in version 1.7.1 of the Terraform AWS Provider, the similar fix for the aws_iam_group resource has been merged for release with version 2.12.0 of the Terraform AWS Provider. 👍

Given the broad scope of deployment of these resources, it is unlikely we will change their resource ID, even in a future major version release, so closing this issue out. For further bug reports with IAM resources, please create a new GitHub issue, thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!