iam_role - continual changes on apply when inline_policy {} is defined

[iamperson347]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform 1.1.2

Affected Resource(s)

• aws_iam_role

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_iam_role" "newrole" {
...
  inline_policy {}
}

Expected Behavior

After upgrading from provider 3.69.0 to 3.74.3, no planned changes to existing IAM roles

Actual Behavior

Each subsequent apply tries to add a policy with a content of "" (and apparently succeeds - but no changes in AWS), but new plans/applies always show changes.

create
inline_policy {
create
policy :
""
}

Steps to Reproduce

1. terraform apply

Important Factoids

Terraform AWS provider 3.69.0 does not exhibit this behavior.

Documenation states this is a valid configuration: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#example-of-removing-inline-policies

References

• #0000

[danopia]

I have also been impacted by this regression. There are no apply problems caused by the configuration, but the iam_role resource shows up on every terraform plan regardless of any actual change, so an empty plan instead has 1 to change which is a recurring nuisance.

Previously discussed here: #22336 (comment)

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # aws_iam_role.role has changed
  ~ resource "aws_iam_role" "role" {
        id                    = "repro"
        name                  = "repro"
        tags                  = {}
        # (9 unchanged attributes hidden)

      - inline_policy {}
        # (1 unchanged block hidden)
    }

# ...

Terraform will perform the following actions:

  # aws_iam_role.role will be updated in-place
  ~ resource "aws_iam_role" "role" {
        id                    = "repro"
        name                  = "repro"
        tags                  = {}
        # (9 unchanged attributes hidden)

      + inline_policy {}
        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[iamperson347]

Hi All - It appears this is till occurring on the latest provider (4.19.0). Is there any rough timeline on when this perpetual diff might be fixed?

[iamperson347]

It appears this problem is resolved in 4.23.0. I'm guess this pull request might have fixed the issue: #23060

Since I can no longer recreate the issue on provider 4.23.0 - I'm going to close this issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.