Skip to content

Commit

Permalink
Merge pull request #33963 from syncron-oss/b-iam-permissions-boundary…
Browse files Browse the repository at this point in the history
…-drift-detection

r/iam: fix refreshing permission_boundary state on users and roles
  • Loading branch information
ewbankkit authored Oct 18, 2023
2 parents 94cd251 + e27af0d commit e7e300f
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .changelog/33963.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:bug
resource/aws_iam_role: Fix refreshing `permission_boundary` when deleted outside of Terraform
```

```release-note:bug
resource/aws_iam_user: Fix refreshing `permission_boundary` when deleted outside of Terraform
```
2 changes: 2 additions & 0 deletions internal/service/iam/role.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,8 @@ func resourceRoleRead(ctx context.Context, d *schema.ResourceData, meta interfac
d.Set("path", role.Path)
if role.PermissionsBoundary != nil {
d.Set("permissions_boundary", role.PermissionsBoundary.PermissionsBoundaryArn)
} else {
d.Set("permissions_boundary", nil)
}
d.Set("unique_id", role.RoleId)

Expand Down
21 changes: 21 additions & 0 deletions internal/service/iam/role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -551,6 +551,27 @@ func TestAccIAMRole_permissionsBoundary(t *testing.T) {
testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1),
),
},
// Test drift detection
{
PreConfig: func() {
// delete the boundary manually
conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx)
input := &iam.DeleteRolePermissionsBoundaryInput{
RoleName: role.RoleName,
}
_, err := conn.DeleteRolePermissionsBoundaryWithContext(ctx, input)
if err != nil {
t.Fatalf("Failed to delete permission_boundary from role (%s): %s", aws.StringValue(role.RoleName), err)
}
},
Config: testAccRoleConfig_permissionsBoundary(rName, permissionsBoundary1),
// check the boundary was restored
Check: resource.ComposeTestCheckFunc(
testAccCheckRoleExists(ctx, resourceName, &role),
resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1),
),
},
// Test empty value
{
Config: testAccRoleConfig_permissionsBoundary(rName, ""),
Expand Down
2 changes: 2 additions & 0 deletions internal/service/iam/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ func resourceUserRead(ctx context.Context, d *schema.ResourceData, meta interfac
d.Set("path", user.Path)
if user.PermissionsBoundary != nil {
d.Set("permissions_boundary", user.PermissionsBoundary.PermissionsBoundaryArn)
} else {
d.Set("permissions_boundary", nil)
}
d.Set("unique_id", user.UserId)

Expand Down
21 changes: 21 additions & 0 deletions internal/service/iam/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,27 @@ func TestAccIAMUser_permissionsBoundary(t *testing.T) {
testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1),
),
},
// Test drift detection
{
PreConfig: func() {
// delete the boundary manually
conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx)
input := &iam.DeleteUserPermissionsBoundaryInput{
UserName: user.UserName,
}
_, err := conn.DeleteUserPermissionsBoundaryWithContext(ctx, input)
if err != nil {
t.Fatalf("Failed to delete permission_boundary from user (%s): %s", aws.StringValue(user.UserName), err)
}
},
Config: testAccUserConfig_permissionsBoundary(rName, permissionsBoundary1),
// check the boundary was restored
Check: resource.ComposeTestCheckFunc(
testAccCheckUserExists(ctx, resourceName, &user),
resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1),
),
},
// Test empty value
{
Config: testAccUserConfig_permissionsBoundary(rName, ""),
Expand Down

0 comments on commit e7e300f

Please sign in to comment.