Skip to content

Commit

Permalink
iam_managed_policy - fix copy and paste mistake which results in Para…
Browse files Browse the repository at this point in the history
…mValidationError during policy deletion (ansible-collections#2068)

iam_managed_policy - fix ParamValidationError during policy deletion

SUMMARY
fixes: ansible-collections#2067
Introduced by ansible-collections#1998
A copy and paste mistake in ansible-collections#1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
iam_managed_policy
plugins/module_utils/iam.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis
  • Loading branch information
tremble authored and abraverm committed May 1, 2024
1 parent bc38fb3 commit d358717
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 2 deletions.
3 changes: 3 additions & 0 deletions changelogs/fragments/2067-iam_managed_policy-delete.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
bugfixes:
- iam_managed_policy - fixes bug that causes ``ParamValidationError`` when attempting to delete a policy that's attached to a role or a user (https://github.com/ansible-collections/amazon.aws/issues/2067).
4 changes: 2 additions & 2 deletions plugins/module_utils/iam.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,14 +49,14 @@ def detach_iam_group_policy(client, arn, group):
@IAMErrorHandler.deletion_error_handler("detach role policy")
@AWSRetry.jittered_backoff()
def detach_iam_role_policy(client, arn, role):
client.detach_group_policy(PolicyArn=arn, RoleName=role)
client.detach_role_policy(PolicyArn=arn, RoleName=role)
return True


@IAMErrorHandler.deletion_error_handler("detach user policy")
@AWSRetry.jittered_backoff()
def detach_iam_user_policy(client, arn, user):
client.detach_group_policy(PolicyArn=arn, UserName=user)
client.detach_user_policy(PolicyArn=arn, UserName=user)
return True


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@
policy_name: "{{ resource_prefix }}-policy"
policy_path: "/ansible-test-{{ tiny_prefix }}/"
policy_description: "An example Managed Policy description"
test_role: "{{ resource_prefix }}-mp-role"
test_user: "{{ resource_prefix }}-mp-user"
test_group: "{{ resource_prefix }}-mp-group"
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": { "Service": "ec2.amazonaws.com" },
"Effect": "Deny"
}
]
}
61 changes: 61 additions & 0 deletions tests/integration/targets/iam_managed_policy/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,21 @@
collections:
- amazon.aws
block:
- name: Create IAM group
amazon.aws.iam_group:
name: "{{ test_group }}"
state: present
- name: Create IAM user
amazon.aws.iam_user:
name: "{{ test_user }}"
state: present
- name: Create IAM role
amazon.aws.iam_role:
name: "{{ test_role }}"
assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
create_instance_profile: false
state: present

## Test policy creation
- name: Create IAM managed policy - check mode
amazon.aws.iam_managed_policy:
Expand Down Expand Up @@ -448,14 +463,60 @@
- result.policy.tags["Tag C"] == "Value C"
- result.policy.tags["tag d"] == "value d"

- name: Attach managed policy to group
amazon.aws.iam_group:
name: "{{ test_group }}"
state: present
managed_policies:
- "{{ policy_name }}"
- name: Attach managed policy to user
amazon.aws.iam_user:
name: "{{ test_user }}"
state: present
managed_policies:
- "{{ policy_name }}"
- name: Attach managed policy to role
amazon.aws.iam_role:
name: "{{ test_role }}"
state: present
assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
managed_policies:
- "{{ policy_name }}"

- name: Delete IAM managed policy
amazon.aws.iam_managed_policy:
policy_name: "{{ policy_name }}"
state: absent

- name: Delete IAM group
amazon.aws.iam_group:
name: "{{ test_group }}"
state: absent
- name: Delete IAM user
amazon.aws.iam_user:
name: "{{ test_user }}"
state: absent
- name: Delete IAM role
amazon.aws.iam_role:
name: "{{ test_role }}"
state: absent

always:
- name: Delete IAM managed policy
amazon.aws.iam_managed_policy:
policy_name: "{{ policy_name }}"
state: absent
ignore_errors: true # noqa: ignore-errors

- name: Delete IAM group
amazon.aws.iam_group:
name: "{{ test_group }}"
state: absent
- name: Delete IAM user
amazon.aws.iam_user:
name: "{{ test_user }}"
state: absent
- name: Delete IAM role
amazon.aws.iam_role:
name: "{{ test_role }}"
state: absent

0 comments on commit d358717

Please sign in to comment.