-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Provider]: Implement exclusive relationship management resources #39376
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
I love this sooooo much! Here's another related feature request: |
Routes in a route table is another use case for exclusive management. |
Commenting here for visibility since the proposal is already approved and merged, but what is the expected config migration path for practitioners? For example, if I am currently using |
+1 |
I believe there's a good reasoning behind deprecating |
I went ahead and demoed a quick change to our iam-principals module to see what the migration path looks like currently. I think it needs some work. It's going to be a big lift, without any way to PR here: plus3it/terraform-aws-tardigrade-iam-principals#205 To see what I mean:
You'll see that it wants to create the inline role policies again. Of course, a user could write Without such a @jar-b Thoughts? |
Also, managed prefix lists and their entries are another resource that could benefit from this new exclusive relationship pattern... |
To migrate an existing inline policy to the standalone resource, an However, because the Here's a small example (the configuration is hidden by default to improve readability): Show/Hide ConfigurationThe uncommented configuration below represents the existing state where inline policies are defined directly on the terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Configure the AWS Provider
provider "aws" {}
data "aws_iam_policy_document" "trust" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "inline" {
statement {
actions = ["s3:ListBucket"]
resources = [
"arn:aws:s3:::some-bucket-a",
"arn:aws:s3:::some-bucket-b",
]
}
}
resource "aws_iam_role" "test" {
name = "jb-test-inline-policy-migration"
assume_role_policy = data.aws_iam_policy_document.trust.json
# Remove this when the new standalone resource is added
inline_policy {
name = "test-inline"
policy = data.aws_iam_policy_document.inline.json
}
}
### Start of new resources ###
# # This can be removed after the apply in which the resource is imported
# import {
# to = aws_iam_role_policy.test
# id = "jb-test-inline-policy-migration:test-inline"
# }
#
# resource "aws_iam_role_policy" "test" {
# name = "test-inline"
# role = aws_iam_role.test.name
# policy = data.aws_iam_policy_document.inline.json
# }
# #
# resource "aws_iam_role_policies_exclusive" "test" {
# role_name = aws_iam_role.test.name
# policy_names = [
# aws_iam_role_policy.test.name,
# ]
# }
### End of new resources ### To covert this to use the standalone
% terraform apply -auto-approve
data.aws_iam_policy_document.inline: Reading...
data.aws_iam_policy_document.trust: Reading...
data.aws_iam_policy_document.inline: Read complete after 0s [id=748695472]
data.aws_iam_policy_document.trust: Read complete after 0s [id=2851119427]
aws_iam_role.test: Refreshing state... [id=jb-test-inline-policy-migration]
aws_iam_role_policy.test: Preparing import... [id=jb-test-inline-policy-migration:test-inline]
aws_iam_role_policy.test: Refreshing state... [id=jb-test-inline-policy-migration:test-inline]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role_policies_exclusive.test will be created
+ resource "aws_iam_role_policies_exclusive" "test" {
+ policy_names = [
+ "test-inline",
]
+ role_name = "jb-test-inline-policy-migration"
}
# aws_iam_role_policy.test will be imported
resource "aws_iam_role_policy" "test" {
id = "jb-test-inline-policy-migration:test-inline"
name = "test-inline"
name_prefix = null
policy = jsonencode(
{
Statement = [
{
Action = "s3:ListBucket"
Effect = "Allow"
Resource = [
"arn:aws:s3:::some-bucket-b",
"arn:aws:s3:::some-bucket-a",
]
},
]
Version = "2012-10-17"
}
)
role = "jb-test-inline-policy-migration"
}
Plan: 1 to import, 1 to add, 0 to change, 0 to destroy.
aws_iam_role_policy.test: Importing... [id=jb-test-inline-policy-migration:test-inline]
aws_iam_role_policy.test: Import complete [id=jb-test-inline-policy-migration:test-inline]
aws_iam_role_policies_exclusive.test: Creating...
aws_iam_role_policies_exclusive.test: Creation complete after 1s
Apply complete! Resources: 1 imported, 1 added, 0 changed, 0 destroyed.
% terraform plan
data.aws_iam_policy_document.trust: Reading...
data.aws_iam_policy_document.inline: Reading...
data.aws_iam_policy_document.trust: Read complete after 0s [id=2851119427]
data.aws_iam_policy_document.inline: Read complete after 0s [id=748695472]
aws_iam_role.test: Refreshing state... [id=jb-test-inline-policy-migration]
aws_iam_role_policy.test: Refreshing state... [id=jb-test-inline-policy-migration:test-inline]
aws_iam_role_policies_exclusive.test: Refreshing state...
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. |
In theory if all previous versions of the module guarantee the inline policies will already exist, you could publish a version containing the import directive in a non-breaking way. However, a breaking major version change may be preferable to avoid cases where users need to sequence minor versions in such a way to guarantee the import conditions are satisfied. The |
I must have missed something... When did it become possible to put |
Wasn't there a fairly recent change/feature in Terraform core that made it possible to complete a |
🤦 - thanks for the correction. I'm clearly not a module author and will therefore refrain from additional suggestions.
Yes. My assumption about the schema requirements is indeed out of date. However, we are still limited in our ability to support the
While possible, adding support is unfortunately not as simple as implementing the state movement logic. As an aside, I'm not sure
I suspect after a successful apply with a move operation, deletion of the |
I think perhaps a further update to Note that I was careful in how I phrased the move request previously...
I do not want to move the |
Makes sense, I'm on the same page now. This sounds like a Working within the existing language constraints on the provider side, the
Hopefully this helps in weighing the available options. |
Also, I've added new items in the issue body for the additional suggested resources. Thanks for those @lorengordon! 👍 |
Yeah. I'll check core and open a feature/enhancement request, if something doesn't already exist. |
Alright, issue opened: hashicorp/terraform#35785. |
|
Thanks @lusitania 👍 - opened #39822 and added it to the parent issue above. |
Another candidate for exclusive attachments, I think, would be |
(because sso is cross-account, it differentiates with separate API calls between aws-managed policies that have no account id in their ARN, and customer-managed ones that do) |
An interesting resource to add this exclusive attachment for might be |
Given the below configuration: resource "aws_iam_role" "role" {
count = local.create_role ? 1 : 0
name = "role"
description = "Role"
}
resource "aws_iam_role_policy_attachments_exclusive" "role" {
count = local.create_role ? 1 : 0
role_name = one(aws_iam_role.role[*].name)
policy_arns = local.managed_policies_list
} we're getting
and then after 2nd Is this something that should be handled natively by AWS provider? AWS provider version is Thanks. 👉🏻 UPD: so it seems like the 🤔 UPD2: interestingly that |
Hey @yermulnik - A similar discussion took place over in #39818. This comment might be specifically helpful: #39818 (comment). TLDR; Destruction of We've also since updated the registry documentation with a note to reflect the expected behavior. |
@jar-b Thanks for the pointer 👍🏻 |
Another resource that would be pretty nice to have an exclusive option would be |
Description
This meta issue will track the progress of the effort to implement "exclusive relationship management" resources, as described in this proposal (see the rendered version in the contributor guide).
IAM inline policies:
aws_iam_user_policies_exclusive
#39377aws_iam_group_policies_exclusive
#39378IAM customer managed policies:
aws_iam_role_policy_attachments_exclusive
#39379aws_iam_user_policy_attachments_exclusive
#39380aws_iam_group_policy_attachments_exclusive
#39381Organizations policies:
Route53 records:
aws_route53_records_exclusive
#40466SSO Admin managed policies:
aws_ssoadmin_managed_policy_attachments_exclusive
#39822aws_ssoadmin_customer_managed_policy_attachments_exclusive
#40006VPC managed prefix lists:
aws_ec2_managed_prefix_list_entries_exclusive
#39446VPC route tables:
aws_routes_exclusive
#39447VPC security groups:
aws_ec2_network_interface_sg_attachments_exclusive
#39382aws_vpc_security_group_rules_exclusive
#39383References
Relates #39204
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: