Noticed that each terraform plan shows this change:
Terraform will perform the following actions:
# aws_iam_role.search_index_lambda will be updated in-place
~ resource "aws_iam_role" "search_index_lambda" {
id = "search_index_lambda"
~ managed_policy_arns = [
- "arn:aws:iam::[CENSORED]:policy/opensearch-domain-access-policy",
# (3 unchanged elements hidden)
]
name = "search_index_lambda"
tags = {}
# (8 unchanged attributes hidden)
}
# aws_iam_role_policy_attachment.AWSLambdaVPCAccessExecutionRole will be created
+ resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ role = "search_index_lambda"
}This is because we use both managed_policy_arns field in "aws_iam_role" as well as "aws_iam_role_policy_attachment" resource.
When reading state, terraform doesn't know that managed_policy_arns list is not exhaustive and shows the diff when encountered value added by aws_iam_role_policy_attachment.
Deciding to use either managed_policy_arns or "aws_iam_role_policy_attachment", solves the issue. I chose the latter (better flexibility at the cost of verbosity)