patternterraformMinor
Are manual changes to an aws IAM policy detected by Terraform plan?
Viewed 0 times
policyiamaremanualdetectedplanchangesawsterraform
Problem
I know that Terraform dose some checks before the plan and can detect some changes but not others such as detecting changes to variables on a lambda but not detecting a new secret in a secret manager.
Are changes to the IAM policy something it detects?
Are changes to the IAM policy something it detects?
Solution
Yes, Terraform will detect drift in IAM policies.
Here is my starting point, a policy that allows full S3 and SQS access to specific resources.
I then manually added
To test whether it was detected or not, I ran
So Terraform correctly detected the drift.
Here is my starting point, a policy that allows full S3 and SQS access to specific resources.
data "aws_iam_policy_document" "task" {
statement {
effect = "Allow"
actions = ["sqs:*"]
resources = [
aws_sqs_queue.my-queue.arn
]
}
statement {
effect = "Allow"
actions = ["s3:*"]
resources = [
"${aws_s3_bucket.my_bucket.arn}",
"${aws_s3_bucket.my_bucket.arn}/*",
]
}
}
resource "aws_iam_policy" "task_role" {
name = "my-task-policy"
policy = data.aws_iam_policy_document.task.json
}I then manually added
ec2:DescribeInstances to this policy via the AWS management console.To test whether it was detected or not, I ran
terraform apply -target aws_iam_policy.task_roleAn execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_policy.task_role will be updated in-place
~ resource "aws_iam_policy" "task_role" {
arn = "arn:aws:iam::111111111111:policy/my-task-policy"
id = "arn:aws:iam::111111111111:policy/my-task-policy"
name = "my-task-policy"
path = "/"
~ policy = jsonencode(
~ {
~ Statement = [
... REDACTED...
- {
- Action = "ec2:DescribeInstances"
- Effect = "Allow"
- Resource = "*"
- Sid = "VisualEditor0"
},
]
Version = "2012-10-17"
}
)
}
Plan: 0 to add, 1 to change, 0 to destroy.So Terraform correctly detected the drift.
Code Snippets
data "aws_iam_policy_document" "task" {
statement {
effect = "Allow"
actions = ["sqs:*"]
resources = [
aws_sqs_queue.my-queue.arn
]
}
statement {
effect = "Allow"
actions = ["s3:*"]
resources = [
"${aws_s3_bucket.my_bucket.arn}",
"${aws_s3_bucket.my_bucket.arn}/*",
]
}
}
resource "aws_iam_policy" "task_role" {
name = "my-task-policy"
policy = data.aws_iam_policy_document.task.json
}An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_policy.task_role will be updated in-place
~ resource "aws_iam_policy" "task_role" {
arn = "arn:aws:iam::111111111111:policy/my-task-policy"
id = "arn:aws:iam::111111111111:policy/my-task-policy"
name = "my-task-policy"
path = "/"
~ policy = jsonencode(
~ {
~ Statement = [
... REDACTED...
- {
- Action = "ec2:DescribeInstances"
- Effect = "Allow"
- Resource = "*"
- Sid = "VisualEditor0"
},
]
Version = "2012-10-17"
}
)
}
Plan: 0 to add, 1 to change, 0 to destroy.Context
StackExchange DevOps Q#11936, answer score: 3
Revisions (0)
No revisions yet.