-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/iam_role: Delete inline policies when force_detach_policies = true #2388
Conversation
|
the current
So when inlined policies are attached to role, you got error In this PR, delete inline policies when |
@atsushi-ishibashi |
|
||
func testAccAWSIAMRoleConfig_force_detach_policies(rName string) string { | ||
return fmt.Sprintf(` | ||
resource "aws_iam_role_policy" "test" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically we're not really testing the new functionality here IMO, because the policy will get destroyed first due to its relationship and force_destroy
won't get chance to ever take action.
I think we'd need to remove those policies from state as part of the test in order to verify it actually works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's right👍
But I couldn't have an idea to realize it... Could you give me advice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I think the easier way is to add policies outside of the config, instead of removing them from state. We could add testAccAddAWSIAMRolePolicy("aws_iam_role.test")
to your new test:
Steps: []resource.TestStep{
{
Config: testAccAWSIAMRoleConfig_force_detach_policies(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSRoleExists("aws_iam_role.test", &conf),
testAccAddAWSIAMRolePolicy("aws_iam_role.test"),
),
},
},
which would just call the API to add a policy outside of any Terraform CRUD.
Testing framework will then attempt to destroy the role and exercise this new functionality.
aws/resource_aws_iam_role.go
Outdated
@@ -285,6 +285,25 @@ func resourceAwsIamRoleDelete(d *schema.ResourceData, meta interface{}) error { | |||
} | |||
} | |||
} | |||
// For inline policies | |||
inlinePoliciesResp, err := iamconn.ListRolePolicies(&iam.ListRolePoliciesInput{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't we going to miss some policies here potentially due to pagination? How do you feel about using ListRolePoliciesPages
instead?
@radeksimko Ok👍
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks.
This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fix: #2279