-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/iam_role: Delete inline policies when force_detach_policies = true #2388
Changes from 3 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -138,6 +138,25 @@ func TestAccAWSIAMRole_badJSON(t *testing.T) { | |
}) | ||
} | ||
|
||
func TestAccAWSIAMRole_force_detach_policies(t *testing.T) { | ||
var conf iam.GetRoleOutput | ||
rName := acctest.RandString(10) | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckAWSRoleDestroy, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccAWSIAMRoleConfig_force_detach_policies(rName), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckAWSRoleExists("aws_iam_role.test", &conf), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCheckAWSRoleDestroy(s *terraform.State) error { | ||
iamconn := testAccProvider.Meta().(*AWSClient).iamconn | ||
|
||
|
@@ -375,3 +394,71 @@ POLICY | |
} | ||
`, rName) | ||
} | ||
|
||
func testAccAWSIAMRoleConfig_force_detach_policies(rName string) string { | ||
return fmt.Sprintf(` | ||
resource "aws_iam_role_policy" "test" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Technically we're not really testing the new functionality here IMO, because the policy will get destroyed first due to its relationship and There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's right👍 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So I think the easier way is to add policies outside of the config, instead of removing them from state. We could add Steps: []resource.TestStep{
{
Config: testAccAWSIAMRoleConfig_force_detach_policies(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSRoleExists("aws_iam_role.test", &conf),
testAccAddAWSIAMRolePolicy("aws_iam_role.test"),
),
},
}, which would just call the API to add a policy outside of any Terraform CRUD. Testing framework will then attempt to destroy the role and exercise this new functionality. |
||
name = "tf-iam-role-policy-%s" | ||
role = "${aws_iam_role.test.id}" | ||
|
||
policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"ec2:Describe*" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_policy" "test" { | ||
name = "tf-iam-policy-%s" | ||
description = "A test policy" | ||
policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"iam:ChangePassword" | ||
], | ||
"Resource": "*", | ||
"Effect": "Allow" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "test" { | ||
role = "${aws_iam_role.test.name}" | ||
policy_arn = "${aws_iam_policy.test.arn}" | ||
} | ||
|
||
resource "aws_iam_role" "test" { | ||
name = "tf-iam-role-%s" | ||
force_detach_policies = true | ||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": "ec2.amazonaws.com" | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
`, rName, rName, rName) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't we going to miss some policies here potentially due to pagination? How do you feel about using
ListRolePoliciesPages
instead?