Merge pull request #5186 from terraform-providers/f-aws_iam_role-ds-p…

…ermissions_boundary data-source/aws_iam_role: Add permissions_boundary attribute
hashicorp · Jul 24, 2018 · b559a3d · b559a3d
2 parents 9337cf2 + 2f77213
commit b559a3d
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 4 deletions.
diff --git a/aws/data_source_aws_iam_role.go b/aws/data_source_aws_iam_role.go
@@ -2,7 +2,11 @@ package aws
 
 import (
 	"fmt"
+	"net/url"
+	"time"
 
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/hashicorp/terraform/helper/schema"
 )
 
@@ -28,6 +32,10 @@ func dataSourceAwsIAMRole() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"permissions_boundary": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"role_id": {
 				Type:       schema.TypeString,
 				Computed:   true,
@@ -63,6 +71,8 @@ func dataSourceAwsIAMRole() *schema.Resource {
 }
 
 func dataSourceAwsIAMRoleRead(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
 	name, hasName := d.GetOk("name")
 	roleName, hasRoleName := d.GetOk("role_name")
 
@@ -78,10 +88,40 @@ func dataSourceAwsIAMRoleRead(d *schema.ResourceData, meta interface{}) error {
 	}
 	d.SetId(id)
 
-	data := resourceAwsIamRoleRead(d, meta)
+	input := &iam.GetRoleInput{
+		RoleName: aws.String(d.Id()),
+	}
+
+	output, err := iamconn.GetRole(input)
+	if err != nil {
+		return fmt.Errorf("Error reading IAM Role %s: %s", d.Id(), err)
+	}
+
+	d.Set("arn", output.Role.Arn)
+	if err := d.Set("create_date", output.Role.CreateDate.Format(time.RFC3339)); err != nil {
+		return err
+	}
+	d.Set("description", output.Role.Description)
+	d.Set("max_session_duration", output.Role.MaxSessionDuration)
+	d.Set("name", output.Role.RoleName)
+	d.Set("path", output.Role.Path)
+	d.Set("permissions_boundary", "")
+	if output.Role.PermissionsBoundary != nil {
+		d.Set("permissions_boundary", output.Role.PermissionsBoundary.PermissionsBoundaryArn)
+	}
+	d.Set("unique_id", output.Role.RoleId)
+
+	assumRolePolicy, err := url.QueryUnescape(aws.StringValue(output.Role.AssumeRolePolicyDocument))
+	if err != nil {
+		return err
+	}
+	if err := d.Set("assume_role_policy", assumRolePolicy); err != nil {
+		return err
+	}
+
 	// Keep backward compatibility with previous attributes
-	d.Set("role_id", d.Get("unique_id").(string))
-	d.Set("assume_role_policy_document", d.Get("assume_role_policy").(string))
+	d.Set("role_id", output.Role.RoleId)
+	d.Set("assume_role_policy_document", assumRolePolicy)
 
-	return data
+	return nil
 }
diff --git a/aws/data_source_aws_iam_role_test.go b/aws/data_source_aws_iam_role_test.go
@@ -22,6 +22,7 @@ func TestAccAWSDataSourceIAMRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "unique_id"),
 					resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "assume_role_policy"),
 					resource.TestCheckResourceAttr("data.aws_iam_role.test", "path", "/testpath/"),
+					resource.TestCheckResourceAttr("data.aws_iam_role.test", "permissions_boundary", ""),
 					resource.TestCheckResourceAttr("data.aws_iam_role.test", "name", roleName),
 					resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "create_date"),
 					resource.TestMatchResourceAttr("data.aws_iam_role.test", "arn",

diff --git a/website/docs/d/iam_role.html.markdown b/website/docs/d/iam_role.html.markdown
@@ -30,4 +30,5 @@ data "aws_iam_role" "example" {
 * `arn` - The Amazon Resource Name (ARN) specifying the role.
 * `assume_role_policy` - The policy document associated with the role.
 * `path` - The path to the role.
+* `permissions_boundary` - The ARN of the policy that is used to set the permissions boundary for the role.
 * `unique_id` - The stable and unique string identifying the role.