This issue was originally opened by @milh0use as hashicorp/terraform#20023. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
0.11.11 (provider.aws 1.52.0)
Terraform Configuration Files
resource "aws_iam_instance_profile" "example_instance_profile" {
name = "example_instance_profile"
role = "${aws_iam_role.example_role.name}"
}
resource "aws_iam_role" "example_role" {
name = "example_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = {
"Terraform" = "True"
}
}
resource "aws_iam_role_policy" "example_iam_role_policy" {
name = "example_iam_role_policy"
role = "${aws_iam_role.example_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToAssumeRole",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"${data.terraform_remote_state.example-policy.role_arn}"
]
},
{
"Effect": "Allow",
"Action" : [
"ec2:RunInstances",
...
],
"Resource" : "*"
}
]
}
EOF
}
Debug Output
Crash Output
Expected Behavior
I've read the excellent article on drift, but we've hit a situation where terraform-managed infrastructure was modified in the AWS console and a terraform apply failed to restore the changes as it failed to detect a modification of the configuration (the list of roles attached to the instance profile) of an aws_iam_instance_profile resource. I would have thought this is a change that terraform could potentially detect and fix.
Actual Behavior
terraform plan recognises that deleted resources need to be recreated but doesn't restore all the links between the resources.
Steps to Reproduce
Note that in the steps below, some of the steps might happen automatically when other steps are done (such as removing a role from an instance profile might happen automatically when you delete the role). A colleague made the changes in the AWS console and I only have the CloudTrail log as evidence of what happened.
- Create the resources above using terraform
- Delete the example_role from the AWS console
- Remove example_role from the example_instance_profile instance profile from the AWS console
- Delete the example_iam_role_policy role policy from the AWS console
Now run a terraform plan. Terraform detects that it needs to recreate the deleted resources, but doesn't notice that the configuration of the instance profile has changed such that it is no longer linked to the example_role role.
Additional Context
References
This issue was originally opened by @milh0use as hashicorp/terraform#20023. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
0.11.11 (provider.aws 1.52.0)
Terraform Configuration Files
Debug Output
Crash Output
Expected Behavior
I've read the excellent article on drift, but we've hit a situation where terraform-managed infrastructure was modified in the AWS console and a
terraform applyfailed to restore the changes as it failed to detect a modification of the configuration (the list of roles attached to the instance profile) of an aws_iam_instance_profile resource. I would have thought this is a change that terraform could potentially detect and fix.Actual Behavior
terraform planrecognises that deleted resources need to be recreated but doesn't restore all the links between the resources.Steps to Reproduce
Note that in the steps below, some of the steps might happen automatically when other steps are done (such as removing a role from an instance profile might happen automatically when you delete the role). A colleague made the changes in the AWS console and I only have the CloudTrail log as evidence of what happened.
Now run a
terraform plan. Terraform detects that it needs to recreate the deleted resources, but doesn't notice that the configuration of the instance profile has changed such that it is no longer linked to the example_role role.Additional Context
References