aws_iam_user does not detect changes to permissions_boundary

[markusrydh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5

• provider registry.terraform.io/hashicorp/aws v3.19.0

Affected Resource(s)

• aws_iam_user
• aws_iam_role (not verified)

Terraform Configuration Files

resource "aws_iam_user" "user" {
    name     = "testuser"
    permissions_boundary = aws_iam_policy.permissions_boundary.arn
}

resource "aws_iam_policy" "permissions_boundary" {
    name       = "PermissionsBoundary"
    policy      = data.aws_iam_policy_document.permissions_boundary.json
}

data "aws_iam_policy_document" "permissions_boundary" {
...
}

Expected Behavior

If the user does not have the permissions_boundary set in AWS, terraform should detect this and set it.

Actual Behavior

The permissions_boundary policy is set when user is created but drift of this is not detected

Steps to Reproduce

1. terraform apply
2. Manually remove the boundary policy from the user
3. terraform apply

[danisabad]

Same issue with the boundary for the aws_iam_role. Although if the role changed, rather than deleted, this being detected for some reason.

[Chili-Man]

I can confirm this issue as well for the aws_iam_role; We accidentally deleted the boundary permission for the role and when I tried to re-apply the terraform files, it would not detect that the permissions boundary for the role was gone

[mrohland]

This is still an issue. On a TF plan the Debug log shows that the permission boundary is not attached anymore(its visible for roles that have it as expected), but TF is not reacting on it in any way.

Terraform v1.0.8

• provider registry.terraform.io/hashicorp/aws v3.69.0

[gforien]

Same issue here with an aws_iam_role.

Terraform v1.2.7

• provider registry.terraform.io/hashicorp/aws v4.29.0

[jackhxs-alt]

Same issue for me with aws_iam_role:

▶ terraform version
Terraform v1.2.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.25.0
+ provider registry.terraform.io/hashicorp/random v3.3.2

[mike-geiger]

This issue still exists for aws_iam_role.

Terraform v1.5.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v5.13.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1

[lqc]

This seems to be caused by:

• Role: https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/iam/role.go#L293
• User: https://github.com/hashicorp/terraform-provider-aws/blame/main/internal/service/iam/user.go#L162

which don't set the state value of refresh instead of setting it to "nil". As this is a root attr, this causes the state to be copied as per: https://hashicorp.github.io/terraform-provider-aws/data-handling-and-conversion/#implicit-state-passthrough

I'll try to make a PR, but not sure how to test this.

[github-actions]

This functionality has been released in v5.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.