Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

leftover module module.iam_user in state that should have been removed; this is a bug in Terraform and should be reported #23866

Closed
mmshaikh88 opened this issue Jan 15, 2020 · 2 comments
Closed

leftover module module.iam_user in state that should have been removed; this is a bug in Terraform and should be reported #23866

mmshaikh88 opened this issue Jan 15, 2020 · 2 comments

Comments

@mmshaikh88
Copy link

Terraform Version

Terraform v0.12.19
+ provider.aws v2.44.0

Terraform Configuration Files

main.tf:
-------
provider "aws" {
  region  = var.region
  version = "~> 2.20"
}

terraform {
  backend "s3" {
    bucket = "bucket-location"
    region = "us-west-2"
  }
}

# Not all of these are used yet
locals {
  env_orig         = var.environment
  env_short        = substr(local.env_orig, 0, min(length(local.env_orig), 5))
  name_prefix      = "${var.service}-${local.env_short}-${var.ver}"
  tesv_name_prefix = "${var.team}-${local.env_short}-${var.service}-${var.ver}"
  esv_name_prefix  = "${local.env_short}-${var.service}-${var.ver}"
  common_tags = {
    team        = var.team
    environment = var.environment
    service     = var.service
    version     = var.ver
    Terraform   = "true"
  }
}

data "aws_caller_identity" "current" {
}

output "account_id" {
  value = data.aws_caller_identity.current.account_id
}

output "caller_arn" {
  value = data.aws_caller_identity.current.arn
}

output "caller_user" {
  value = data.aws_caller_identity.current.user_id
}

group-users.tf:
---------------
resource "aws_iam_group" "users" {
  name = "users"
}

resource "aws_iam_policy" "dev_poweruser" {
  name        = "dev_poweruser"
  path        = "/"
  description = "signing dev_poweruser policy."

  policy = file("policy-json-files/managed/dev-poweruser.json")
}

resource "aws_iam_policy" "list_own_user_policy" {
  name        = "list_own_user_policy"
  path        = "/"
  description = " Allow user to list user policy for their own user "

  policy = file("policy-json-files/managed/list-own-user-policy.json")
}

resource "aws_iam_policy" "manage_own_account_with_MFA" {
  name        = "manage_own_account_with_MFA"
  path        = "/"
  description = " Allows user to manage own account provided they are using MFA "

  policy = file("policy-json-files/managed/manage-own-account-with-MFA.json")
}

resource "aws_iam_policy" "manage_own_password" {
  name        = "manage_own_password"
  path        = "/"
  description = " Customer manage own password "

  policy = file("policy-json-files/managed/manage-own-password.json")
}

resource "aws_iam_policy" "Force_MFA" {
  name        = "Force_MFA"
  path        = "/"
  description = " This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA "

  policy = file("policy-json-files/managed/Force_MFA.json")
}

resource "aws_iam_group_policy_attachment" "PowerUserAccess_users" {
  group      = aws_iam_group.users.name
  policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}

resource "aws_iam_group_policy_attachment" "dev_poweruser_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.dev_poweruser.arn
}

resource "aws_iam_group_policy_attachment" "list_own_user_policy_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.list_own_user_policy.arn
}

resource "aws_iam_group_policy_attachment" "manage_own_account_with_MFA_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.manage_own_account_with_MFA.arn
}

resource "aws_iam_group_policy_attachment" "manage_own_password_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.manage_own_password.arn
}

resource "aws_iam_group_policy_attachment" "Force_MFA_users" {
  group      = aws_iam_group.users.name
  policy_arn = aws_iam_policy.Force_MFA.arn
}

group-engops-admin.tf:
-------------------------
resource "aws_iam_group" "engops_admin" {
  name = "EngOps_Admin"
}

resource "aws_iam_group_policy_attachment" "AdministratorAccess" {
  group      = aws_iam_group.engops_admin.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

test_user.tf:
------------
#########################################
# IAM user, login profile and access key
#########################################

variable "admin_user_test_user" {
  description = "admin user flag"
  default = "true"
}

module "iam_user_test_user" {
  source = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "~> 2.0"

  name = "test.user"
  force_destroy = true

  # User has uploaded his public key here - https://keybase.io/test/pgp_keys.asc
  pgp_key = "keybase:mscradlepoint"

  password_reset_required = false

  # SSH public key
  upload_iam_user_ssh_key = false
  # ssh_public_key = ""
}

resource "aws_iam_user_group_membership" "test_user_user" {
  user = module.iam_user_test_user.this_iam_user_name

  groups = [aws_iam_group.users.name,
          ]
}

resource "aws_iam_user_group_membership" "test_user_engops_admin" {
  user = module.iam_user_test_user.this_iam_user_name

  count = var.admin_user_test_user == "true" ? 1 : 0
  groups = [aws_iam_group.engops_admin.name,
          ]
}

Debug Output

Crash Output

Error: leftover module module.iam_user_test_user in state that should have been removed; this is a bug in Terraform and should be reported

Expected Behavior

The resource should have been removed once we have removed the user tf file.

Actual Behavior

Getting error

Steps to Reproduce

Initially using terraform 0.12.13 without any error.
Download terraform 0.12.19 and set as default tf.
terraform init
terraform 0.12upgrade
terraform validate
generate test_user.tf file
terraform init
terraform plan
terraform apply
Remove test_user.tf file
terraform plan
terraform apply

Additional Context

References

https://github.com/terraform-aws-modules/terraform-aws-iam
@hashibot
Copy link
Contributor

Duplicate of #23821

@hashibot hashibot marked this as a duplicate of #23821 Jan 15, 2020
@mmshaikh88 mmshaikh88 mentioned this issue Jan 15, 2020
Closed
@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hashibot @mmshaikh88