Skip to content

fix: Replace count with for_each in additional_many policy attachment#738

Closed
gungoren wants to merge 3 commits into
terraform-aws-modules:masterfrom
gungoren:fix/iam-policy-attachment-for-each
Closed

fix: Replace count with for_each in additional_many policy attachment#738
gungoren wants to merge 3 commits into
terraform-aws-modules:masterfrom
gungoren:fix/iam-policy-attachment-for-each

Conversation

@gungoren

Copy link
Copy Markdown

Summary

  • Replaces count with for_each in aws_iam_role_policy_attachment.additional_many
  • Uses policy ARN as the stable for_each key instead of list index
  • Prevents unnecessary detach/reattach of all policies when one is removed from the front or middle of the list, which causes Lambda functions to temporarily lose access to external services during the destroy→attach cycle

Problem

When using count with a list of policy ARNs, Terraform tracks attachments by index. Removing any item other than the last causes all subsequent resources to be re-indexed, triggering a full detach of all policies followed by reattachment of the remaining ones. During this window, the Lambda function loses IAM permissions.

Solution

Switch to for_each with toset(var.policies), using the ARN itself as the stable key. This ensures Terraform only destroys the specific attachment being removed, leaving all others untouched.

Test plan

  • Apply with existing policies — verify no changes detected
  • Remove a policy from the front of the list — verify only that attachment is destroyed, others are untouched
  • Verify Lambda functions retain external service access during policy changes

… to prevent detach/reattach on list reorder

Signed-off-by: Mehmet Gungoren <mehgungoren@gmail.com>
@gungoren gungoren changed the title fix: replace count with for_each in additional_many policy attachment fix: Replace count with for_each in additional_many policy attachment Mar 17, 2026
Signed-off-by: Mehmet Gungoren <mehgungoren@gmail.com>
…moval

Signed-off-by: Mehmet Gungoren <mehgungoren@gmail.com>
@github-actions

Copy link
Copy Markdown

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions Bot added the stale label Apr 17, 2026
@github-actions

Copy link
Copy Markdown

This PR was automatically closed because of stale in 10 days

@github-actions github-actions Bot closed this Apr 27, 2026
@github-actions

Copy link
Copy Markdown

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant