Lambda IAM Policies Detaching from created IAM Role when Input Order is Changed

[tammyisaninja]

Description

Swapping the order of policies will result in the policies being detached

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 7.13.0

• Terraform version:
  1.8.3

• Provider version(s):
  AWS Provider (hashicorp/aws) Version: 5.71.0
  External Provider (hashicorp/external) Version: 2.3.4
  Local Provider (hashicorp/local) Version: 2.5.2
  Null Provider (hashicorp/null) Version: 3.2.3

Reproduction Code [Required]

module "test" {
  source = "terraform-aws-modules/lambda/aws"

  function_name = "test-function"
  description   = "Lambda function testing"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  architectures = ["arm64"]
  timeout       = 120
  publish       = true

  // Add all files needed
  source_path = [
    "/Users/<user>/workspace/testing/index.ts"
  ]

  // Add IAM policies to role
  role_name          = "test"
  attach_policies    = true
  number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
  ]
}

Steps to reproduce the behavior:

1. Run terraform apply on the above code into your aws account
2. All IAM policies are applied successfully

3. Swap the policies order, now the VPC access policy is above, lambda insight policy is below

number_of_policies = 2
  policies = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", # For Lambda in a VPC
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",  # For Lambda Insights
]

4. Run terraform apply again. Plan is as follows:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.test.aws_iam_role_policy_attachment.additional_many[0] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122755971000000001" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" -> "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" # forces replacement
        # (1 unchanged attribute hidden)
    }

  # module.test.aws_iam_role_policy_attachment.additional_many[1] must be replaced
+/- resource "aws_iam_role_policy_attachment" "additional_many" {
      ~ id         = "test-20241011122756169000000002" -> (known after apply)
      ~ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" -> "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" # forces replacement
        # (1 unchanged attribute hidden)
    }

Expected behavior

No change to the policy, nothing should happen.

Actual behavior

The policies that have been swapped are removed from the role, however the terraform apply is successful.

Issues:

1. Swapping the policies should not cause removal of them from the IAM role
2. It should not show success

See reasoning below

Terminal Output Screenshot(s)

This is because the creation happens before deletion