aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489
Description
Description
Manually adding an IAM policy on an IAM user was detected as a drift until 0.7.0 but 0.7.1 did not (regression)
0.7.0
❯ driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanning resources: ⡿ (55)
Found unmanaged resources:
aws_iam_access_key:
- AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
aws_iam_policy_attachment:
- microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess
[...]
Found 6 resource(s)
- 50% coverage
- 3 covered by IaC
- 3 not covered by IaC
- 0 deleted on cloud provider
- 0/3 drifted from IaC
0.7.1
❯ driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanned resources: (56)
Found resources not covered by IaC:
aws_iam_access_key:
- AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
Found 3 resource(s)
- 66% coverage
- 2 covered by IaC
- 1 not covered by IaC
- 0 missing on cloud provider
- 0/2 changed outside of IaCEnvironment
- OS: fedora 34
- driftctl version: 0.7.1
How to reproduce
- apply this hcl (tf 0.15.1 in this case)
resource "aws_iam_user" "myuser" {
name = "myuser"
}
resource "aws_iam_user_policy_attachment" "myuser" {
user = aws_iam_user.myuser.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- go to the AWS IAM console and click "add permissions", add whatever policy you want
- run driftctl scan
Possible Solution
Additional context