resource/aws_iam_role: Use ListAttachedRolePoliciesPages

[atsushi-ishibashi]

Managed policies may exceed the first response of ListAttachedRolePolicies.

[atsushi-ishibashi]

@Ninir @bflad This is not enhanccement, but bug.

[bflad]

@atsushi-ishibashi are you hitting this and missing results? If so, do you have a lot of managed IAM roles or did AWS increase your role policy attachment limit? The IAM limits documentation states by default:

Managed policies attached to an IAM role: 10

I guess you could be hitting the second part of ListAttachedRolePoliciesInput documentation for MaxItems by default:

    // (Optional) Use this only when paginating results to indicate the maximum
    // number of items you want in the response. If additional items exist beyond
    // the maximum you specify, the IsTruncated response element is true.
    //
    // If you do not include this parameter, it defaults to 100. Note that IAM might
    // return fewer results, even when there are more results available. In that
    // case, the IsTruncated response element returns true and Marker contains a
    // value to include in the subsequent call that tells the service where to continue
    // from.
    MaxItems *int64 `min:"1" type:"integer"`

Please confirm what you're seeing and we'll prioritize accordingly. Thanks.

[atsushi-ishibashi]

@bflad Thanks. Actually I didn't come across the bug but when I implemented #2388, I rememberd that I would fix pagination similar to ListRolePoliciesPages.

[bflad]

LGTM and thanks for this fix @atsushi-ishibashi -- I'm going to pull in this PR right now for a few reasons:

• Its small and I basically had already gone through it
• We potentially were missing results since in the old code we were not checking NextToken and IAM was not guaranteeing all results in the first response according to the documentation
• This brings the attached policy code in line with the inline policy code right below it

make testacc TEST=./aws TESTARGS='-run=TestAccAWSIAMRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSIAMRole -timeout 120m
=== RUN   TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (9.65s)
=== RUN   TestAccAWSIAMRole_importBasic
--- PASS: TestAccAWSIAMRole_importBasic (8.39s)
=== RUN   TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (14.30s)
=== RUN   TestAccAWSIAMRolePolicy_namePrefix
--- PASS: TestAccAWSIAMRolePolicy_namePrefix (7.08s)
=== RUN   TestAccAWSIAMRolePolicy_generatedName
--- PASS: TestAccAWSIAMRolePolicy_generatedName (7.15s)
=== RUN   TestAccAWSIAMRolePolicy_invalidJSON
--- PASS: TestAccAWSIAMRolePolicy_invalidJSON (1.17s)
=== RUN   TestAccAWSIAMRole_basic
--- PASS: TestAccAWSIAMRole_basic (8.78s)
=== RUN   TestAccAWSIAMRole_basicWithDescription
--- PASS: TestAccAWSIAMRole_basicWithDescription (17.71s)
=== RUN   TestAccAWSIAMRole_namePrefix
--- PASS: TestAccAWSIAMRole_namePrefix (8.55s)
=== RUN   TestAccAWSIAMRole_testNameChange
--- PASS: TestAccAWSIAMRole_testNameChange (14.10s)
=== RUN   TestAccAWSIAMRole_badJSON
--- PASS: TestAccAWSIAMRole_badJSON (0.80s)
=== RUN   TestAccAWSIAMRole_force_detach_policies
--- PASS: TestAccAWSIAMRole_force_detach_policies (9.82s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	107.549s

I'm going to quickly comb through the existing issues to see if this actually closes out any of them.

[bflad]

This has been released in terraform-provider-aws version 1.7.1. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!