diff --git a/.changelog/33963.txt b/.changelog/33963.txt new file mode 100644 index 00000000000..bafa61b0450 --- /dev/null +++ b/.changelog/33963.txt @@ -0,0 +1,7 @@ +```release-note:bug +resource/aws_iam_role: Fix refreshing `permission_boundary` when deleted outside of Terraform +``` + +```release-note:bug +resource/aws_iam_user: Fix refreshing `permission_boundary` when deleted outside of Terraform +``` diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index d373cb1a0d2..4ca2bc1c435 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -292,6 +292,8 @@ func resourceRoleRead(ctx context.Context, d *schema.ResourceData, meta interfac d.Set("path", role.Path) if role.PermissionsBoundary != nil { d.Set("permissions_boundary", role.PermissionsBoundary.PermissionsBoundaryArn) + } else { + d.Set("permissions_boundary", nil) } d.Set("unique_id", role.RoleId) diff --git a/internal/service/iam/role_test.go b/internal/service/iam/role_test.go index cfa1c5e6513..f7b97e5ebb1 100644 --- a/internal/service/iam/role_test.go +++ b/internal/service/iam/role_test.go @@ -551,6 +551,27 @@ func TestAccIAMRole_permissionsBoundary(t *testing.T) { testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1), ), }, + // Test drift detection + { + PreConfig: func() { + // delete the boundary manually + conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx) + input := &iam.DeleteRolePermissionsBoundaryInput{ + RoleName: role.RoleName, + } + _, err := conn.DeleteRolePermissionsBoundaryWithContext(ctx, input) + if err != nil { + t.Fatalf("Failed to delete permission_boundary from role (%s): %s", aws.StringValue(role.RoleName), err) + } + }, + Config: testAccRoleConfig_permissionsBoundary(rName, permissionsBoundary1), + // check the boundary was restored + Check: resource.ComposeTestCheckFunc( + testAccCheckRoleExists(ctx, resourceName, &role), + resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1), + testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1), + ), + }, // Test empty value { Config: testAccRoleConfig_permissionsBoundary(rName, ""), diff --git a/internal/service/iam/user.go b/internal/service/iam/user.go index 6ca8afbdb8e..27696efbd3f 100644 --- a/internal/service/iam/user.go +++ b/internal/service/iam/user.go @@ -161,6 +161,8 @@ func resourceUserRead(ctx context.Context, d *schema.ResourceData, meta interfac d.Set("path", user.Path) if user.PermissionsBoundary != nil { d.Set("permissions_boundary", user.PermissionsBoundary.PermissionsBoundaryArn) + } else { + d.Set("permissions_boundary", nil) } d.Set("unique_id", user.UserId) diff --git a/internal/service/iam/user_test.go b/internal/service/iam/user_test.go index 7d4d259af22..0432be516ae 100644 --- a/internal/service/iam/user_test.go +++ b/internal/service/iam/user_test.go @@ -413,6 +413,27 @@ func TestAccIAMUser_permissionsBoundary(t *testing.T) { testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1), ), }, + // Test drift detection + { + PreConfig: func() { + // delete the boundary manually + conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx) + input := &iam.DeleteUserPermissionsBoundaryInput{ + UserName: user.UserName, + } + _, err := conn.DeleteUserPermissionsBoundaryWithContext(ctx, input) + if err != nil { + t.Fatalf("Failed to delete permission_boundary from user (%s): %s", aws.StringValue(user.UserName), err) + } + }, + Config: testAccUserConfig_permissionsBoundary(rName, permissionsBoundary1), + // check the boundary was restored + Check: resource.ComposeTestCheckFunc( + testAccCheckUserExists(ctx, resourceName, &user), + resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1), + testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1), + ), + }, // Test empty value { Config: testAccUserConfig_permissionsBoundary(rName, ""),