So, I have an AWS IAM Group created via TF that has a certain IAM Policy attached to it. A Junior came in and attached an Admin policy to that group - MANUALLY! Running “terraform plan” is not going to show this drift as it doesn’t control this new “attachment” resource that exists between my IAM Group and IAM Policy! How do I check for drifts then? How do I ensure this is detected and controlled? Why does AWS have to treat this “attachment” as a resource and not an attribute that got changed?
There isn’t anything Terraform can do to help you here. Terraform knows nothing about this extra attachment and therefore isn’t ever going to check it or see it as needing adjustments.
The AWS provider gets to decide what is presented as a resource and what becomes an attribute or block within a resource. Generally providers will make that decision based on the underlying APIs - If there are multiple things handled by a single API you’d generally represent that as a single resource, while multiple different APIs would generally result in multiple resource types.
A tool that might be useful for your issue is GitHub - cloudskiff/driftctl: Detect, track and alert on infrastructure drift
I know what you said because it’s not Terraform’s design but that of AWS…but wouldn’t it be nice if AWS Provider treated it as an attribute?! But right, lke you said, they might have decided to split it into resource as the APIs would be too “heavy”?!