aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

sjourdan · 2021-05-06T10:02:47Z

Description

Manually adding an IAM policy on an IAM user was detected as a drift until 0.7.0 but 0.7.1 did not (regression)

0.7.0

❯  driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanning resources: ⡿ (55)
Found unmanaged resources:
  aws_iam_access_key:
    - AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
  aws_iam_policy_attachment:
    - microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess
[...]
Found 6 resource(s)
 - 50% coverage
 - 3 covered by IaC
 - 3 not covered by IaC
 - 0 deleted on cloud provider
 - 0/3 drifted from IaC

0.7.1

❯  driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanned resources:    (56)
Found resources not covered by IaC:
  aws_iam_access_key:
    - AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
Found 3 resource(s)
 - 66% coverage
 - 2 covered by IaC
 - 1 not covered by IaC
 - 0 missing on cloud provider
 - 0/2 changed outside of IaC

Environment

OS: fedora 34
driftctl version: 0.7.1

How to reproduce

apply this hcl (tf 0.15.1 in this case)

resource "aws_iam_user" "myuser" {
  name = "myuser"
}

resource "aws_iam_user_policy_attachment" "myuser" {
  user       = aws_iam_user.myuser.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

go to the AWS IAM console and click "add permissions", add whatever policy you want
run driftctl scan

Possible Solution

Additional context

sjourdan · 2021-05-06T10:18:03Z

tldr: cause = Ignoring default AWS resource

❯  dctlenv use 0.7.1
Switching version to v0.7.1
Switching completed

❯  driftctl scan --from tfstate://iam/terraform.tfstate --from tfstate://vpc/terraform.tfstate --from tfstate://s3/terraform.tfstate --output json://stdout
{
	"summary": {
		"total_resources": 3,
		"total_changed": 0,
		"total_unmanaged": 1,
		"total_missing": 0,
		"total_managed": 2
	},
	"managed": [
		{
			"id": "microservice-gae5qn",
			"type": "aws_iam_user"
		},
		{
			"id": "AKIASBXWQ3AYSUC7XHUG",
			"type": "aws_iam_access_key"
		}
	],
	"unmanaged": [
		{
			"id": "AKIASBXWQ3AYZG3H5ZMP",
			"type": "aws_iam_access_key"
		}
	],
	"missing": null,
	"differences": null,
	"coverage": 66,
	"alerts": null
}
❯  dctlenv use 0.7.0
Switching version to v0.7.0
Switching completed

❯  driftctl scan --from tfstate://iam/terraform.tfstate --from tfstate://vpc/terraform.tfstate --from tfstate://s3/terraform.tfstate --output json://stdout
{
	"summary": {
		"total_resources": 6,
		"total_drifted": 0,
		"total_unmanaged": 3,
		"total_deleted": 0,
		"total_managed": 3
	},
	"managed": [
		{
			"id": "microservice-gae5qn",
			"type": "aws_iam_user"
		},
		{
			"id": "microservice-gae5qn-arn:aws:iam::aws:policy/ReadOnlyAccess",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "AKIASBXWQ3AYSUC7XHUG",
			"type": "aws_iam_access_key"
		}
	],
	"unmanaged": [
		{
			"id": "AWSServiceRoleForAccessAnalyzer-arn:aws:iam::aws:policy/aws-service-role/AccessAnalyzerServiceRolePolicy",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "AKIASBXWQ3AYZG3H5ZMP",
			"type": "aws_iam_access_key"
		}
	],
	"deleted": null,
	"differences": null,
	"coverage": 50,
	"alerts": null
}

using LOG_LEVEL=debug

[...]
DEBU[0009] Ignoring default AWS resource id=microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess type=aws_iam_policy_attachment

sundowndev · 2021-05-19T12:45:35Z

Fixed in v0.8.0

n2N8Z · 2023-03-31T12:03:28Z

The code that was removed to fix this issue had a logical flaw, which should have been fixed rather than removing it to solve this issue.
The logical flaw in the removed code was:
defaultRolesCount := 0
...
if defaultRolesCount == len(remoteResource.Attrs.GetSlice("roles")) {
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
...

The effect of this is that if a aws_iam_policy_attachment has no role attachments and only user or group attachments it will be ignored (since defaultRolesCount == 0 and len(roles) == 0) i.e. the reported issue.

sjourdan added the kind/bug Something isn't working label May 6, 2021

sundowndev added this to To do in driftctl via automation May 7, 2021

sundowndev added this to Triage in driftctl via automation May 7, 2021

sundowndev added the priority/0 label May 7, 2021

sundowndev added this to the v0.8.0 milestone May 7, 2021

sundowndev removed this from Triage in driftctl May 7, 2021

sundowndev removed this from To do in driftctl May 7, 2021

sundowndev added this to Triage in driftctl via automation May 7, 2021

sundowndev moved this from Triage to Todo in driftctl May 7, 2021

sundowndev self-assigned this May 7, 2021

sundowndev mentioned this issue May 7, 2021

Remove aws_iam_policy_attachment resources from strict mode #498

Merged

sundowndev moved this from Todo to In Progress in driftctl May 7, 2021

eliecharra moved this from In Progress to Review in driftctl May 10, 2021

eliecharra assigned sjourdan and unassigned sundowndev May 10, 2021

sundowndev closed this as completed May 19, 2021

driftctl automation moved this from Review to Done May 19, 2021

n2N8Z mentioned this issue Mar 31, 2023

Fix aws_iam_policy_attachment drift not detected, without removing aw… #1649

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

sjourdan commented May 6, 2021

sjourdan commented May 6, 2021

sundowndev commented May 19, 2021

n2N8Z commented Mar 31, 2023

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

Comments

sjourdan commented May 6, 2021

0.7.0

0.7.1

sjourdan commented May 6, 2021

sundowndev commented May 19, 2021

n2N8Z commented Mar 31, 2023