Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"terraform refresh" not picking up changes to policy text #3517

Closed
jgross206 opened this issue Oct 15, 2015 · 5 comments
Closed

"terraform refresh" not picking up changes to policy text #3517

jgross206 opened this issue Oct 15, 2015 · 5 comments
Labels
bug provider/aws

Comments

@jgross206
Copy link

If a Terraform-managed policy is modified via Web console, the changes are not picked up on terraform refresh so they are not corrected on next terraform apply

Repro:

  • create a new configuration with the following in policies.tf:
provider "aws" {
  # access_key and secret_key should be set using "aws configure"
  region = "us-west-2"
}

resource "aws_iam_policy" "test" {
  name  = "test-policy"
  description = "A test policy"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "glacier:ListVaults",
        "glacier:DescribeVault",
        "glacier:GetVaultNotifications",
        "glacier:ListJobs",
        "glacier:DescribeJob",
        "glacier:GetJobOutput"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}
  • run terraform plan then terraform apply. The policy should be created.
  • log in to the web console and modify the policy text, e.g. change "Allow" to "Deny"
  • go back to the terminal and run terraform refresh
  • Expected: the change should be noticed and updated into the state file. The next terraform apply should change the policy back to the one existing in our .tf file.
  • Actual: no changes are detected. Subsequent terraform plan terraform apply succeed but the policy in AWS does not match the policy in source.

Happy to provide any more information needed.
@mroark1m
Copy link

I can confirm this issue, seeing the same thing.

@mattpminer
Copy link

I can confirm as well.

@jgross206
Copy link
Author

In fact, this issue is even worse. If a "terraform apply" of a modified AWS policy fails

(e.g. with

  • aws_iam_policy.datadog: Error updating IAM policy [REDACTED]: MalformedPolicyDocument: Syntax errors in policy.
    status code: 400, request id: [REDACTED]
    )

Then subsequent "terraform plan" will say "No changes. Infrastructure is up-to-date." even though the infrastructure is decidedly not up-to-date.

@Ehekatl
Copy link

Ehekatl commented Jul 27, 2016

confirm this problem as well
I have two s3 policy and one never change, but another one change every time as mentioned in #4948
how could it be...

@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
@ghost
Copy link

ghost commented Apr 11, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@catsby @mroark1m @jgross206 @mattpminer @Ehekatl @hashibot