From 2f77213ccb6f97552da17729dc1ccc469b7fd62e Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Fri, 13 Jul 2018 13:41:27 -0400 Subject: [PATCH] data-source/aws_iam_role: Add permissions_boundary attribute --- aws/data_source_aws_iam_role.go | 48 ++++++++++++++++++++++++--- aws/data_source_aws_iam_role_test.go | 1 + website/docs/d/iam_role.html.markdown | 1 + 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/aws/data_source_aws_iam_role.go b/aws/data_source_aws_iam_role.go index fe4f6f657c4..26af5a2fb01 100644 --- a/aws/data_source_aws_iam_role.go +++ b/aws/data_source_aws_iam_role.go @@ -2,7 +2,11 @@ package aws import ( "fmt" + "net/url" + "time" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/iam" "github.com/hashicorp/terraform/helper/schema" ) @@ -28,6 +32,10 @@ func dataSourceAwsIAMRole() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "permissions_boundary": { + Type: schema.TypeString, + Computed: true, + }, "role_id": { Type: schema.TypeString, Computed: true, @@ -63,6 +71,8 @@ func dataSourceAwsIAMRole() *schema.Resource { } func dataSourceAwsIAMRoleRead(d *schema.ResourceData, meta interface{}) error { + iamconn := meta.(*AWSClient).iamconn + name, hasName := d.GetOk("name") roleName, hasRoleName := d.GetOk("role_name") @@ -78,10 +88,40 @@ func dataSourceAwsIAMRoleRead(d *schema.ResourceData, meta interface{}) error { } d.SetId(id) - data := resourceAwsIamRoleRead(d, meta) + input := &iam.GetRoleInput{ + RoleName: aws.String(d.Id()), + } + + output, err := iamconn.GetRole(input) + if err != nil { + return fmt.Errorf("Error reading IAM Role %s: %s", d.Id(), err) + } + + d.Set("arn", output.Role.Arn) + if err := d.Set("create_date", output.Role.CreateDate.Format(time.RFC3339)); err != nil { + return err + } + d.Set("description", output.Role.Description) + d.Set("max_session_duration", output.Role.MaxSessionDuration) + d.Set("name", output.Role.RoleName) + d.Set("path", output.Role.Path) + d.Set("permissions_boundary", "") + if output.Role.PermissionsBoundary != nil { + d.Set("permissions_boundary", output.Role.PermissionsBoundary.PermissionsBoundaryArn) + } + d.Set("unique_id", output.Role.RoleId) + + assumRolePolicy, err := url.QueryUnescape(aws.StringValue(output.Role.AssumeRolePolicyDocument)) + if err != nil { + return err + } + if err := d.Set("assume_role_policy", assumRolePolicy); err != nil { + return err + } + // Keep backward compatibility with previous attributes - d.Set("role_id", d.Get("unique_id").(string)) - d.Set("assume_role_policy_document", d.Get("assume_role_policy").(string)) + d.Set("role_id", output.Role.RoleId) + d.Set("assume_role_policy_document", assumRolePolicy) - return data + return nil } diff --git a/aws/data_source_aws_iam_role_test.go b/aws/data_source_aws_iam_role_test.go index e0f34481d62..ffdd10cc451 100644 --- a/aws/data_source_aws_iam_role_test.go +++ b/aws/data_source_aws_iam_role_test.go @@ -22,6 +22,7 @@ func TestAccAWSDataSourceIAMRole_basic(t *testing.T) { resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "unique_id"), resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "assume_role_policy"), resource.TestCheckResourceAttr("data.aws_iam_role.test", "path", "/testpath/"), + resource.TestCheckResourceAttr("data.aws_iam_role.test", "permissions_boundary", ""), resource.TestCheckResourceAttr("data.aws_iam_role.test", "name", roleName), resource.TestCheckResourceAttrSet("data.aws_iam_role.test", "create_date"), resource.TestMatchResourceAttr("data.aws_iam_role.test", "arn", diff --git a/website/docs/d/iam_role.html.markdown b/website/docs/d/iam_role.html.markdown index b2e981794e3..a23ff830b95 100644 --- a/website/docs/d/iam_role.html.markdown +++ b/website/docs/d/iam_role.html.markdown @@ -30,4 +30,5 @@ data "aws_iam_role" "example" { * `arn` - The Amazon Resource Name (ARN) specifying the role. * `assume_role_policy` - The policy document associated with the role. * `path` - The path to the role. +* `permissions_boundary` - The ARN of the policy that is used to set the permissions boundary for the role. * `unique_id` - The stable and unique string identifying the role.