HiveBrain v1.2.0
Get Started
← Back to all entries
patternterraformMinor

Are manual changes to an aws IAM policy detected by Terraform plan?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
policyiamaremanualdetectedplanchangesawsterraform

Problem

I know that Terraform dose some checks before the plan and can detect some changes but not others such as detecting changes to variables on a lambda but not detecting a new secret in a secret manager.

Are changes to the IAM policy something it detects?

Solution

Yes, Terraform will detect drift in IAM policies.

Here is my starting point, a policy that allows full S3 and SQS access to specific resources.

data "aws_iam_policy_document" "task" {
  statement {
    effect  = "Allow"
    actions = ["sqs:*"]
    resources = [
      aws_sqs_queue.my-queue.arn
    ]
  }

  statement {
    effect  = "Allow"
    actions = ["s3:*"]
    resources = [
      "${aws_s3_bucket.my_bucket.arn}",
      "${aws_s3_bucket.my_bucket.arn}/*",
    ]
  }
}

resource "aws_iam_policy" "task_role" {
  name   = "my-task-policy"
  policy = data.aws_iam_policy_document.task.json
}


I then manually added ec2:DescribeInstances to this policy via the AWS management console.

To test whether it was detected or not, I ran terraform apply -target aws_iam_policy.task_role

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy.task_role will be updated in-place
  ~ resource "aws_iam_policy" "task_role" {
        arn    = "arn:aws:iam::111111111111:policy/my-task-policy"
        id     = "arn:aws:iam::111111111111:policy/my-task-policy"
        name   = "my-task-policy"
        path   = "/"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ... REDACTED...
                  - {
                      - Action   = "ec2:DescribeInstances"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "VisualEditor0"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
    }

Plan: 0 to add, 1 to change, 0 to destroy.


So Terraform correctly detected the drift.

Code Snippets

data "aws_iam_policy_document" "task" {
  statement {
    effect  = "Allow"
    actions = ["sqs:*"]
    resources = [
      aws_sqs_queue.my-queue.arn
    ]
  }

  statement {
    effect  = "Allow"
    actions = ["s3:*"]
    resources = [
      "${aws_s3_bucket.my_bucket.arn}",
      "${aws_s3_bucket.my_bucket.arn}/*",
    ]
  }
}

resource "aws_iam_policy" "task_role" {
  name   = "my-task-policy"
  policy = data.aws_iam_policy_document.task.json
}
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy.task_role will be updated in-place
  ~ resource "aws_iam_policy" "task_role" {
        arn    = "arn:aws:iam::111111111111:policy/my-task-policy"
        id     = "arn:aws:iam::111111111111:policy/my-task-policy"
        name   = "my-task-policy"
        path   = "/"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ... REDACTED...
                  - {
                      - Action   = "ec2:DescribeInstances"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "VisualEditor0"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Context

StackExchange DevOps Q#11936, answer score: 3

Revisions (0)

No revisions yet.