IAM Role not added to state when inline IAM Policy is invalid

[jykingston]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.0.0

• aws_iam_role

Terraform Configuration Files

This config is invalid due to the inline_policy missing the actions.

provider "aws" {
  region = "ap-southeast-2"
}

#####################################
# INVALID POLICY
#####################################

resource "aws_iam_role" "InvalidPolicyIAMRole" {
  name               = "InvalidPolicyIAMRole"
  assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json

  inline_policy {
    name = "my_inline_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
  statement {
    sid = "AWSVPCFlowLogsAssumeRole"

    principals {
      type        = "Service"
      identifiers = ["vpc-flow-logs.amazonaws.com"]
    }

    effect = "Allow"

    actions = ["sts:AssumeRole"]
  }
}

Debug Output

Plan, Apply and Import logs showing the issue.
Debug Logs

Panic Output

N/A

Expected Behavior

The IAM Role should be added to the state, allowing a second terraform apply to fix the IAM Policy.

1. terraform apply creates the role, ERROR MalformedPolicyDocument on the policy
2. terraform plan shows only the IAM Policy to be updated
3. terraform apply updates the IAM Policy and finishes successfully.

Actual Behavior

1. terraform apply creates the IAM Role. ERROR MalformedPolicyDocument on the policy
2. terraform plan shows the IAM Policy and the IAM Role to be created
3. terraform apply ERROR EntityAlreadyExists as the IAM Role was created on the first run, but not added to state.

Steps to Reproduce

Just run the config above twice.

1. terraform apply - MalformedPolicyDocument
2. terraform apply - EntityAlreadyExists

Important Factoids

References

[thinkbrown]

Yeah, I can confirm that we ran into this on provider v4.48.0 as well.

[YakDriver]

Rather than partially create the resource, we believe the correct behavior is for the role creation to fail when the inline policy fails. This approach will fix the EntityAlreadyExists error as well.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.60.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.