aws_iam_group rename orphans the group

[hashibot]

This issue was originally opened by @james-masson as hashicorp/terraform#12882. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

tested with 0.8.8 & 0.9.1

Affected Resource(s)

aws_iam_group

Terraform Configuration Files

provider "aws" {
  region = "eu-west-1"
}

resource "aws_iam_group" "team" {
  name = "testgroup01"
}

Expected Behavior

Upon renaming "testgroup01" to "testgroup02", terraform should rename AWS resource and update the state-file

Actual Behavior

Terraform updates the resource correctly:

aws_iam_group.team: Refreshing state... (ID: testgroup01)
aws_iam_group.team: Modifying... (ID: testgroup01)
  name: "testgroup01" => "testgroup02"
aws_iam_group.team: Modifications complete

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

but erases it from the state file

{
    "version": 3,
    "terraform_version": "0.9.1",
    "serial": 61,
    "lineage": "ff4a5b9e-04f0-4af4-b372-4876acff0465",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {},
            "depends_on": []
        }
    ]
}

A second terraform run now complains about a duplicate resource.

aws_iam_group.team: Creating...
  arn:       "" => "<computed>"
  name:      "" => "testgroup02"
  path:      "" => "/"
  unique_id: "" => "<computed>"
Error applying plan:

1 error(s) occurred:

* aws_iam_group.team: 1 error(s) occurred:

* aws_iam_group.team: Error creating IAM Group testgroup02: EntityAlreadyExists: Group with name testgroup02 already exists.
	status code: 409, request id: 617494e3-0d7e-11e7-b195-615d4e65d354

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. Change name of group
3. terraform apply
4. Note state is now empty
5. terraform apply
6. Note terraform complains that the group already exists.

[Evesy]

We have found that this also occurs with the aws_iam_user resource on Terraform 0.9.10

[sbarber]

Found the same issue with the aws_iam_user resource on Terraform 0.10.7 when trying to just change the name attribute of an aws_iam_user.

[ebarault]

Encountered the same issue on both aws_iam_group and aws_iam_user resource.
This happens because terraform takes the group/user name as its main key for referencing the ressource in states.

I believe this was fixed for aws_iam_user, see: #2303 (comment). The fix should be rather easy to port.

It's really annoying as it has a lot of collateral effects when other resources depends on the the group ressource.

[bflad]

The fix to prevent Terraform state removals with aws_iam_group resource name updates has been merged and will release with version 2.12.0 of the Terraform AWS Provider, likely later this week.

[bflad]

This has been released in version 2.12.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!