aws_iam_group_policy updates without name field leave orphaned attached policies

[GroovyCarrot]

Terraform Version

Terraform v0.11.7
Provider aws 1.16.0

Affected Resource(s)

• aws_iam_group_policy

Potentially also aws_iam_role_policy and aws_iam_user_policy as well, however I haven't tested yet.

Terraform Configuration Files

resource "aws_iam_group" "network_admins" {
  name = "NetworkAdministrators"
}

resource "aws_iam_group_policy" "network_admins" {
  group = "${aws_iam_group.network_admin.id}"
  policy = "${file("network-admins.policy.json")}"
}

Expected Behavior

When a policy is updated, I expect that the policy attached to the group would be replaced.

Actual Behavior

A new policy is attached to the group, and the old policy is left orphaned. The reason appears to be that it writes the policy with a newly generated name, rather than writing with the existing. Leaving name blank will generate i.e. terraform-20180417120515577200000001.

This is somewhat a security concern; if you are updating the policy to revoke permissions, since it will actually leave the old policy document attached, the group will still have the permissions you wanted to remove. You also don't have any visibility of this from Terraform.

You can get around the issue just by setting the name field. I have also noticed that removing name and running terraform plan shows no changes; even though I would expect it to want to replace the policy with a new computed name - this isn't really a concern though.

Steps to Reproduce

1. Change the policy field - any change.
2. terraform apply

[bflad]

It looks like the Create and Update functions both call the name generation code. 🙁

https://github.com/terraform-providers/terraform-provider-aws/blob/2fb62a6856a89d26b75c84c3a585b52c90e19d01/aws/resource_aws_iam_group_policy.go#L59-L67

Only the Create function should be calling this.

[bflad]

Thank you very much for reporting this. Updates were not being properly tested in the acceptance testing for generated name/name_prefix. Submitted bug fix PR with updated testing: #4379

[bflad]

The fix for this has been merged and will release today with v1.17.0 of the AWS provider.

[bflad]

This has been released in version 1.17.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[GroovyCarrot]

Thanks for the quick turn around

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!