aws_iam_group_policy updates without name field leave orphaned attached policies #4377
Labels
bug
Addresses a defect in current functionality.
service/iam
Issues and PRs that pertain to the iam service.
Milestone
Terraform Version
Terraform v0.11.7
Provider aws 1.16.0
Affected Resource(s)
aws_iam_group_policy
Potentially also
aws_iam_role_policy
andaws_iam_user_policy
as well, however I haven't tested yet.Terraform Configuration Files
Expected Behavior
When a policy is updated, I expect that the policy attached to the group would be replaced.
Actual Behavior
A new policy is attached to the group, and the old policy is left orphaned. The reason appears to be that it writes the policy with a newly generated
name
, rather than writing with the existing. Leavingname
blank will generate i.e.terraform-20180417120515577200000001
.This is somewhat a security concern; if you are updating the policy to revoke permissions, since it will actually leave the old policy document attached, the group will still have the permissions you wanted to remove. You also don't have any visibility of this from Terraform.
You can get around the issue just by setting the
name
field. I have also noticed that removingname
and runningterraform plan
shows no changes; even though I would expect it to want to replace the policy with a new computed name - this isn't really a concern though.Steps to Reproduce
policy
field - any change.terraform apply
The text was updated successfully, but these errors were encountered: