Merge pull request #5740 from mgarstecki/allow_empty_role_permissions…

…_boundary Allow empty permissions boundary field in AWS role.
hashicorp · Aug 31, 2018 · a446de8 · a446de8
2 parents 876ecaf + 179c3b7
commit a446de8
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/aws/resource_aws_iam_role.go b/aws/resource_aws_iam_role.go
@@ -87,7 +87,7 @@ func resourceAwsIamRole() *schema.Resource {
 			"permissions_boundary": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ValidateFunc: validation.StringLenBetween(20, 2048),
+				ValidateFunc: validateMaxLength(2048),
 			},
 
 			"description": {

diff --git a/aws/resource_aws_iam_role_test.go b/aws/resource_aws_iam_role_test.go
@@ -242,6 +242,7 @@ func TestAccAWSIAMRole_PermissionsBoundary(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSRoleExists(resourceName, &role),
 					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
+					testAccCheckAWSRolePermissionsBoundary(&role, permissionsBoundary1),
 				),
 			},
 			// Test update
@@ -250,6 +251,7 @@ func TestAccAWSIAMRole_PermissionsBoundary(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSRoleExists(resourceName, &role),
 					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary2),
+					testAccCheckAWSRolePermissionsBoundary(&role, permissionsBoundary2),
 				),
 			},
 			// Test import
@@ -265,6 +267,7 @@ func TestAccAWSIAMRole_PermissionsBoundary(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSRoleExists(resourceName, &role),
 					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", ""),
+					testAccCheckAWSRolePermissionsBoundary(&role, ""),
 				),
 			},
 			// Test addition
@@ -273,6 +276,16 @@ func TestAccAWSIAMRole_PermissionsBoundary(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSRoleExists(resourceName, &role),
 					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
+					testAccCheckAWSRolePermissionsBoundary(&role, permissionsBoundary1),
+				),
+			},
+			// Test empty value
+			{
+				Config: testAccCheckIAMRoleConfig_PermissionsBoundary(rName, ""),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSRoleExists(resourceName, &role),
+					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", ""),
+					testAccCheckAWSRolePermissionsBoundary(&role, ""),
 				),
 			},
 		},
@@ -399,6 +412,22 @@ func testAccAddAwsIAMRolePolicy(n string) resource.TestCheckFunc {
 	}
 }
 
+func testAccCheckAWSRolePermissionsBoundary(getRoleOutput *iam.GetRoleOutput, expectedPermissionsBoundaryArn string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		actualPermissionsBoundaryArn := ""
+
+		if getRoleOutput.Role.PermissionsBoundary != nil {
+			actualPermissionsBoundaryArn = *getRoleOutput.Role.PermissionsBoundary.PermissionsBoundaryArn
+		}
+
+		if actualPermissionsBoundaryArn != expectedPermissionsBoundaryArn {
+			return fmt.Errorf("PermissionsBoundary: '%q', expected '%q'.", actualPermissionsBoundaryArn, expectedPermissionsBoundaryArn)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckIAMRoleConfig_MaxSessionDuration(rName string, maxSessionDuration int) string {
 	return fmt.Sprintf(`
 resource "aws_iam_role" "test" {