[Idea] aws_iam_role and aws_iam_role is buddy for destroying

[hashibot]

This issue was originally opened by @jim3ma as hashicorp/terraform#10966. It was migrated here as part of the provider split. The original body of the issue is below.

---

Hi there,

If we create a aws_iam_role resource name role, a aws_iam_role_policy named role_policy for the aws_iam_role, another resource name R depends on role and other resources name O depend on R, when destroy them, according the dependency, the role_policy maybe be destroyed first. While destroy the R, need the iam policy to destory O first. Because the R depends on permission of role( yes, it's the role_policy), the role_policy should not be destroyed before destroy role.

We could just add a depends_on the role_policy for the R, but when use the R for using module, we can't do it(currently, we can't use depends_on for using module). Terraform detects the dependency for us, sometimes Terraform destroys the role_policy first.

So, we think the role and role_policy should be buddy for destroying, when destroy one of them, we should confirm that all of them could be destroyed!

Solutions:

1. add an option: buddy_destroy

2. add depends_on for using module

I will provide more information after work.

Terraform Version

Terraform v0.8.0

Affected Resource(s)

• aws_iam_role
• aws_iam_role_policy

[paultyng]

I'm hoping since no additional information was provided here you have worked this out. Without a Terraform config it is hard for us to reproduce this but I have not seen any other similar issues crop up so going to close due to lack of information. If you can provide a config that reproduces this please comment here and I'll be happy to reopen.

[bflad]

This issue was errantly moved to the AWS provider repository during the core/provider split of Terraform 0.10 as well -- it appears to be an upstream Terraform core issue since it relates to dependency ordering or changes to the Terraform provider SDK.

Support for depends_on can between modules can be tracked here: hashicorp/terraform#17101

If Terraform core does ever support having resources internally be grouped together, e.g. all child aws_iam_role_policy to their parent aws_iam_role resource be treated as "one" in the dependency graph when referencing the aws_iam_role, we can reinvestigate this concept.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!