From 97dbccc3ca80833de0e74c14d9a68b060609dfce Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Tue, 30 Apr 2024 14:01:43 +0200 Subject: [PATCH] iam_managed_policy - fix copy and paste mistake which results in ParamValidationError during policy deletion (#2068) iam_managed_policy - fix ParamValidationError during policy deletion SUMMARY fixes: #2067 Introduced by #1998 A copy and paste mistake in #1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user. ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_managed_policy plugins/module_utils/iam.py ADDITIONAL INFORMATION Reviewed-by: Alina Buzachis (cherry picked from commit 970c30329167632e94ecce321cec5a9112757075) --- .../2067-iam_managed_policy-delete.yml | 3 + plugins/module_utils/iam.py | 4 +- .../iam_managed_policy/defaults/main.yml | 3 + .../iam_managed_policy/files/deny-assume.json | 10 +++ .../targets/iam_managed_policy/tasks/main.yml | 61 +++++++++++++++++++ 5 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/2067-iam_managed_policy-delete.yml create mode 100644 tests/integration/targets/iam_managed_policy/files/deny-assume.json diff --git a/changelogs/fragments/2067-iam_managed_policy-delete.yml b/changelogs/fragments/2067-iam_managed_policy-delete.yml new file mode 100644 index 00000000000..1bef1980d91 --- /dev/null +++ b/changelogs/fragments/2067-iam_managed_policy-delete.yml @@ -0,0 +1,3 @@ +--- +bugfixes: + - iam_managed_policy - fixes bug that causes ``ParamValidationError`` when attempting to delete a policy that's attached to a role or a user (https://github.com/ansible-collections/amazon.aws/issues/2067). diff --git a/plugins/module_utils/iam.py b/plugins/module_utils/iam.py index 56920d53eb3..9a345abf7a7 100644 --- a/plugins/module_utils/iam.py +++ b/plugins/module_utils/iam.py @@ -49,14 +49,14 @@ def detach_iam_group_policy(client, arn, group): @IAMErrorHandler.deletion_error_handler("detach role policy") @AWSRetry.jittered_backoff() def detach_iam_role_policy(client, arn, role): - client.detach_group_policy(PolicyArn=arn, RoleName=role) + client.detach_role_policy(PolicyArn=arn, RoleName=role) return True @IAMErrorHandler.deletion_error_handler("detach user policy") @AWSRetry.jittered_backoff() def detach_iam_user_policy(client, arn, user): - client.detach_group_policy(PolicyArn=arn, UserName=user) + client.detach_user_policy(PolicyArn=arn, UserName=user) return True diff --git a/tests/integration/targets/iam_managed_policy/defaults/main.yml b/tests/integration/targets/iam_managed_policy/defaults/main.yml index 51ece2c3a1d..4257634b76e 100644 --- a/tests/integration/targets/iam_managed_policy/defaults/main.yml +++ b/tests/integration/targets/iam_managed_policy/defaults/main.yml @@ -2,3 +2,6 @@ policy_name: "{{ resource_prefix }}-policy" policy_path: "/ansible-test-{{ tiny_prefix }}/" policy_description: "An example Managed Policy description" +test_role: "{{ resource_prefix }}-mp-role" +test_user: "{{ resource_prefix }}-mp-user" +test_group: "{{ resource_prefix }}-mp-group" diff --git a/tests/integration/targets/iam_managed_policy/files/deny-assume.json b/tests/integration/targets/iam_managed_policy/files/deny-assume.json new file mode 100644 index 00000000000..73e87715862 --- /dev/null +++ b/tests/integration/targets/iam_managed_policy/files/deny-assume.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { "Service": "ec2.amazonaws.com" }, + "Effect": "Deny" + } + ] +} diff --git a/tests/integration/targets/iam_managed_policy/tasks/main.yml b/tests/integration/targets/iam_managed_policy/tasks/main.yml index c6ab19a740f..ec4238b858c 100644 --- a/tests/integration/targets/iam_managed_policy/tasks/main.yml +++ b/tests/integration/targets/iam_managed_policy/tasks/main.yml @@ -9,6 +9,21 @@ collections: - amazon.aws block: + - name: Create IAM group + amazon.aws.iam_group: + name: "{{ test_group }}" + state: present + - name: Create IAM user + amazon.aws.iam_user: + name: "{{ test_user }}" + state: present + - name: Create IAM role + amazon.aws.iam_role: + name: "{{ test_role }}" + assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}' + create_instance_profile: false + state: present + ## Test policy creation - name: Create IAM managed policy - check mode amazon.aws.iam_managed_policy: @@ -448,14 +463,60 @@ - result.policy.tags["Tag C"] == "Value C" - result.policy.tags["tag d"] == "value d" + - name: Attach managed policy to group + amazon.aws.iam_group: + name: "{{ test_group }}" + state: present + managed_policies: + - "{{ policy_name }}" + - name: Attach managed policy to user + amazon.aws.iam_user: + name: "{{ test_user }}" + state: present + managed_policies: + - "{{ policy_name }}" + - name: Attach managed policy to role + amazon.aws.iam_role: + name: "{{ test_role }}" + state: present + assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}' + managed_policies: + - "{{ policy_name }}" + - name: Delete IAM managed policy amazon.aws.iam_managed_policy: policy_name: "{{ policy_name }}" state: absent + - name: Delete IAM group + amazon.aws.iam_group: + name: "{{ test_group }}" + state: absent + - name: Delete IAM user + amazon.aws.iam_user: + name: "{{ test_user }}" + state: absent + - name: Delete IAM role + amazon.aws.iam_role: + name: "{{ test_role }}" + state: absent + always: - name: Delete IAM managed policy amazon.aws.iam_managed_policy: policy_name: "{{ policy_name }}" state: absent ignore_errors: true # noqa: ignore-errors + + - name: Delete IAM group + amazon.aws.iam_group: + name: "{{ test_group }}" + state: absent + - name: Delete IAM user + amazon.aws.iam_user: + name: "{{ test_user }}" + state: absent + - name: Delete IAM role + amazon.aws.iam_role: + name: "{{ test_role }}" + state: absent