From 360b394e774dfe45d9f9c44e769188a7fd86c0bd Mon Sep 17 00:00:00 2001 From: Shinohara Makoto Date: Wed, 9 Feb 2022 19:25:08 +0900 Subject: [PATCH 1/9] Fix aws_iam_policy_document order --- internal/service/iam/role.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index 7d23a6ae8bf2..ea2d0e6072fc 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -293,7 +293,11 @@ func resourceRoleRead(d *schema.ResourceData, meta interface{}) error { if err != nil { return err } - if err := d.Set("assume_role_policy", assumeRolePolicy); err != nil { + policyToSet, err := verify.PolicyToSet(d.Get("assume_role_policy").(string), assumeRolePolicy) + if err != nil { + return err + } + if err := d.Set("assume_role_policy", policyToSet); err != nil { return err } From ada638bc92bb222aa36a3cff4707383c06ffa78b Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 25 Mar 2022 11:55:59 -0400 Subject: [PATCH 2/9] r/aws_iam_role: Alphabetize attributes. --- internal/service/iam/role.go | 107 +++++++++++++++-------------------- 1 file changed, 47 insertions(+), 60 deletions(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index ea2d0e6072fc..e8d5fcbbeecb 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -39,48 +39,20 @@ func ResourceRole() *schema.Resource { State: resourceRoleImport, }, Schema: map[string]*schema.Schema{ + "assume_role_policy": { + Type: schema.TypeString, + Required: true, + DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, + ValidateFunc: validation.StringIsJSON, + }, "arn": { Type: schema.TypeString, Computed: true, }, - - "unique_id": { + "create_date": { Type: schema.TypeString, Computed: true, }, - - "name": { - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - ConflictsWith: []string{"name_prefix"}, - ValidateFunc: validResourceName(roleNameMaxLen), - }, - - "name_prefix": { - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - ConflictsWith: []string{"name"}, - ValidateFunc: validResourceName(roleNamePrefixMaxLen), - }, - - "path": { - Type: schema.TypeString, - Optional: true, - Default: "/", - ForceNew: true, - ValidateFunc: validation.StringLenBetween(0, 512), - }, - - "permissions_boundary": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: verify.ValidARN, - }, - "description": { Type: schema.TypeString, Optional: true, @@ -90,35 +62,11 @@ func ResourceRole() *schema.Resource { validation.StringMatch(regexp.MustCompile(`[\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*`), `must satisfy regular expression pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*)`), ), }, - - "assume_role_policy": { - Type: schema.TypeString, - Required: true, - DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, - ValidateFunc: validation.StringIsJSON, - }, - "force_detach_policies": { Type: schema.TypeBool, Optional: true, Default: false, }, - - "create_date": { - Type: schema.TypeString, - Computed: true, - }, - - "max_session_duration": { - Type: schema.TypeInt, - Optional: true, - Default: 3600, - ValidateFunc: validation.IntBetween(3600, 43200), - }, - - "tags": tftags.TagsSchema(), - "tags_all": tftags.TagsSchemaComputed(), - "inline_policy": { Type: schema.TypeSet, Optional: true, @@ -149,7 +97,6 @@ func ResourceRole() *schema.Resource { return !inlinePoliciesActualDiff(d) }, }, - "managed_policy_arns": { Type: schema.TypeSet, Optional: true, @@ -159,6 +106,46 @@ func ResourceRole() *schema.Resource { ValidateFunc: verify.ValidARN, }, }, + "max_session_duration": { + Type: schema.TypeInt, + Optional: true, + Default: 3600, + ValidateFunc: validation.IntBetween(3600, 43200), + }, + "name": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + ConflictsWith: []string{"name_prefix"}, + ValidateFunc: validResourceName(roleNameMaxLen), + }, + "name_prefix": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + ConflictsWith: []string{"name"}, + ValidateFunc: validResourceName(roleNamePrefixMaxLen), + }, + "path": { + Type: schema.TypeString, + Optional: true, + Default: "/", + ForceNew: true, + ValidateFunc: validation.StringLenBetween(0, 512), + }, + "permissions_boundary": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: verify.ValidARN, + }, + "tags": tftags.TagsSchema(), + "tags_all": tftags.TagsSchemaComputed(), + "unique_id": { + Type: schema.TypeString, + Computed: true, + }, }, CustomizeDiff: verify.SetTagsDiff, From 6ff7ef54a9e7cbed97b71e3345794e714f790811 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 25 Mar 2022 11:59:26 -0400 Subject: [PATCH 3/9] Cosmetics. --- internal/service/iam/role.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index e8d5fcbbeecb..0d0e7affb68d 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -263,9 +263,7 @@ func resourceRoleRead(d *schema.ResourceData, meta interface{}) error { } d.Set("arn", role.Arn) - if err := d.Set("create_date", role.CreateDate.Format(time.RFC3339)); err != nil { - return err - } + d.Set("create_date", role.CreateDate.Format(time.RFC3339)) d.Set("description", role.Description) d.Set("max_session_duration", role.MaxSessionDuration) d.Set("name", role.RoleName) @@ -276,17 +274,19 @@ func resourceRoleRead(d *schema.ResourceData, meta interface{}) error { } d.Set("unique_id", role.RoleId) - assumeRolePolicy, err := url.QueryUnescape(*role.AssumeRolePolicyDocument) + assumeRolePolicy, err := url.QueryUnescape(aws.StringValue(role.AssumeRolePolicyDocument)) + if err != nil { return err } + policyToSet, err := verify.PolicyToSet(d.Get("assume_role_policy").(string), assumeRolePolicy) + if err != nil { return err } - if err := d.Set("assume_role_policy", policyToSet); err != nil { - return err - } + + d.Set("assume_role_policy", policyToSet) inlinePolicies, err := readRoleInlinePolicies(aws.StringValue(role.RoleName), meta) if err != nil { From 5383d8708f2a843a24e9d238e2d02889b7f51852 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 25 Mar 2022 12:04:12 -0400 Subject: [PATCH 4/9] Add CHANGELOG entry. --- .changelog/23060.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/23060.txt diff --git a/.changelog/23060.txt b/.changelog/23060.txt new file mode 100644 index 000000000000..796eb88e75e8 --- /dev/null +++ b/.changelog/23060.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/aws_iam_role: Fix diffs in `assume_role_policy` when no changes are detected +``` \ No newline at end of file From 6e2619bbf80cb3642488c1c7a0ec987d677d94b5 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 25 Mar 2022 12:46:30 -0400 Subject: [PATCH 5/9] r/aws_iam_policy: Better handling of 'assume_role_policy'. --- internal/service/iam/role.go | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index 0d0e7affb68d..da6477316284 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/go-multierror" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/terraform-provider-aws/internal/conns" "github.com/hashicorp/terraform-provider-aws/internal/create" @@ -42,8 +43,12 @@ func ResourceRole() *schema.Resource { "assume_role_policy": { Type: schema.TypeString, Required: true, - DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, ValidateFunc: validation.StringIsJSON, + DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, + StateFunc: func(v interface{}) string { + json, _ := structure.NormalizeJsonString(v) + return json + }, }, "arn": { Type: schema.TypeString, @@ -163,11 +168,17 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error { defaultTagsConfig := meta.(*conns.AWSClient).DefaultTagsConfig tags := defaultTagsConfig.MergeTags(tftags.New(d.Get("tags").(map[string]interface{}))) + assumeRolePolicy, err := structure.NormalizeJsonString(d.Get("assume_role_policy").(string)) + + if err != nil { + return fmt.Errorf("assume_role_policy (%s) is invalid JSON: %w", assumeRolePolicy, err) + } + name := create.Name(d.Get("name").(string), d.Get("name_prefix").(string)) request := &iam.CreateRoleInput{ + AssumeRolePolicyDocument: aws.String(assumeRolePolicy), Path: aws.String(d.Get("path").(string)), RoleName: aws.String(name), - AssumeRolePolicyDocument: aws.String(d.Get("assume_role_policy").(string)), } if v, ok := d.GetOk("description"); ok { @@ -328,12 +339,18 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*conns.AWSClient).IAMConn if d.HasChange("assume_role_policy") { + assumeRolePolicy, err := structure.NormalizeJsonString(d.Get("assume_role_policy").(string)) + + if err != nil { + return fmt.Errorf("assume_role_policy (%s) is invalid JSON: %w", assumeRolePolicy, err) + } + assumeRolePolicyInput := &iam.UpdateAssumeRolePolicyInput{ RoleName: aws.String(d.Id()), - PolicyDocument: aws.String(d.Get("assume_role_policy").(string)), + PolicyDocument: aws.String(assumeRolePolicy), } - _, err := tfresource.RetryWhen( + _, err = tfresource.RetryWhen( propagationTimeout, func() (interface{}, error) { return conn.UpdateAssumeRolePolicy(assumeRolePolicyInput) From 66ca336137a0d3f437b51ce98b517c6ab3c81674 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 25 Mar 2022 13:03:14 -0400 Subject: [PATCH 6/9] Prefer 'input' as the name of the API input parameter. --- internal/service/iam/role.go | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index da6477316284..936c816a70dd 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -175,36 +175,36 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error { } name := create.Name(d.Get("name").(string), d.Get("name_prefix").(string)) - request := &iam.CreateRoleInput{ + input := &iam.CreateRoleInput{ AssumeRolePolicyDocument: aws.String(assumeRolePolicy), Path: aws.String(d.Get("path").(string)), RoleName: aws.String(name), } if v, ok := d.GetOk("description"); ok { - request.Description = aws.String(v.(string)) + input.Description = aws.String(v.(string)) } if v, ok := d.GetOk("max_session_duration"); ok { - request.MaxSessionDuration = aws.Int64(int64(v.(int))) + input.MaxSessionDuration = aws.Int64(int64(v.(int))) } if v, ok := d.GetOk("permissions_boundary"); ok { - request.PermissionsBoundary = aws.String(v.(string)) + input.PermissionsBoundary = aws.String(v.(string)) } if len(tags) > 0 { - request.Tags = Tags(tags.IgnoreAWS()) + input.Tags = Tags(tags.IgnoreAWS()) } - output, err := retryCreateRole(conn, request) + output, err := retryCreateRole(conn, input) // Some partitions (i.e., ISO) may not support tag-on-create - if request.Tags != nil && meta.(*conns.AWSClient).Partition != endpoints.AwsPartitionID && verify.CheckISOErrorTagsUnsupported(conn.PartitionID, err) { + if input.Tags != nil && verify.CheckISOErrorTagsUnsupported(conn.PartitionID, err) { log.Printf("[WARN] failed creating IAM Role (%s) with tags: %s. Trying create without tags.", name, err) - request.Tags = nil + input.Tags = nil - output, err = retryCreateRole(conn, request) + output, err = retryCreateRole(conn, input) } if err != nil { @@ -230,7 +230,7 @@ func resourceRoleCreate(d *schema.ResourceData, meta interface{}) error { d.SetId(roleName) // Some partitions (i.e., ISO) may not support tag-on-create, attempt tag after create - if request.Tags == nil && len(tags) > 0 && meta.(*conns.AWSClient).Partition != endpoints.AwsPartitionID { + if input.Tags == nil && len(tags) > 0 && meta.(*conns.AWSClient).Partition != endpoints.AwsPartitionID { err := roleUpdateTags(conn, d.Id(), nil, tags) // If default tags only, log and continue. Otherwise, error. @@ -345,7 +345,7 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("assume_role_policy (%s) is invalid JSON: %w", assumeRolePolicy, err) } - assumeRolePolicyInput := &iam.UpdateAssumeRolePolicyInput{ + input := &iam.UpdateAssumeRolePolicyInput{ RoleName: aws.String(d.Id()), PolicyDocument: aws.String(assumeRolePolicy), } @@ -353,7 +353,7 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error { _, err = tfresource.RetryWhen( propagationTimeout, func() (interface{}, error) { - return conn.UpdateAssumeRolePolicy(assumeRolePolicyInput) + return conn.UpdateAssumeRolePolicy(input) }, func(err error) (bool, error) { if tfawserr.ErrMessageContains(err, iam.ErrCodeMalformedPolicyDocumentException, "Invalid principal in policy") { @@ -370,12 +370,12 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error { } if d.HasChange("description") { - roleDescriptionInput := &iam.UpdateRoleDescriptionInput{ + input := &iam.UpdateRoleDescriptionInput{ RoleName: aws.String(d.Id()), Description: aws.String(d.Get("description").(string)), } - _, err := conn.UpdateRoleDescription(roleDescriptionInput) + _, err := conn.UpdateRoleDescription(input) if err != nil { return fmt.Errorf("error updating IAM Role (%s) description: %w", d.Id(), err) @@ -383,12 +383,12 @@ func resourceRoleUpdate(d *schema.ResourceData, meta interface{}) error { } if d.HasChange("max_session_duration") { - roleMaxDurationInput := &iam.UpdateRoleInput{ + input := &iam.UpdateRoleInput{ RoleName: aws.String(d.Id()), MaxSessionDuration: aws.Int64(int64(d.Get("max_session_duration").(int))), } - _, err := conn.UpdateRole(roleMaxDurationInput) + _, err := conn.UpdateRole(input) if err != nil { return fmt.Errorf("error updating IAM Role (%s) MaxSessionDuration: %s", d.Id(), err) From 4d637544ef301c7dbcc932dc506a5c170c485837 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 8 Jul 2022 12:59:54 -0400 Subject: [PATCH 7/9] Update to new awspolicyequivalence version --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a77f8f769f2f..d6e7fc1a604d 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.17.0 github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.16 github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.17 - github.com/hashicorp/awspolicyequivalence v1.5.0 + github.com/hashicorp/awspolicyequivalence v1.6.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 github.com/hashicorp/go-multierror v1.1.1 diff --git a/go.sum b/go.sum index 602fcfbc920f..738c4ea519c5 100644 --- a/go.sum +++ b/go.sum @@ -145,8 +145,8 @@ github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.16 h1:Ac/qv9kXBBeyIAGkZdy+Id github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.16/go.mod h1:xySJRdcDB8hVSmboo3X+evGhZPzBYwPmZbQxLgfGfBw= github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.17 h1:hUG69tIA35oNI2hoeURCnShSViDNCmcQdLSngP89124= github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.17/go.mod h1:MS242y2IOhTXoT0nhbJt/Z1p/6hlisZunHwvrWAcJyY= -github.com/hashicorp/awspolicyequivalence v1.5.0 h1:tGw6h9qN1AWNBaUf4OUcdCyE/kqNBItTiyTPQeV/KUg= -github.com/hashicorp/awspolicyequivalence v1.5.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14= +github.com/hashicorp/awspolicyequivalence v1.6.0 h1:7aadmkalbc5ewStC6g3rljx1iNvP4QyAhg2KsHx8bU8= +github.com/hashicorp/awspolicyequivalence v1.6.0/go.mod h1:9IOaIHx+a7C0NfUNk1A93M7kHd5rJ19aoUx37LZGC14= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= From b2acddd42890fdbdd28f208c78dfe9744304b8f2 Mon Sep 17 00:00:00 2001 From: Dirk Avery Date: Fri, 8 Jul 2022 13:00:22 -0400 Subject: [PATCH 8/9] iam/role: Fix issues with spurious policy diffs --- .changelog/23060.txt | 8 +- internal/service/iam/role.go | 57 ++- internal/service/iam/role_test.go | 663 +++++++++++++----------------- 3 files changed, 316 insertions(+), 412 deletions(-) diff --git a/.changelog/23060.txt b/.changelog/23060.txt index 796eb88e75e8..341fea91f725 100644 --- a/.changelog/23060.txt +++ b/.changelog/23060.txt @@ -1,3 +1,7 @@ ```release-note:bug -resource/aws_iam_role: Fix diffs in `assume_role_policy` when no changes are detected -``` \ No newline at end of file +resource/aws_iam_role: Fix diffs in `assume_role_policy` when there are no semantic changes +``` + +```release-note:bug +resource/aws_iam_role: Fix problem with exclusion management of inline and managed policies when empty (i.e., remove out-of-band policies) +``` diff --git a/internal/service/iam/role.go b/internal/service/iam/role.go index 936c816a70dd..6f2336930899 100644 --- a/internal/service/iam/role.go +++ b/internal/service/iam/role.go @@ -40,6 +40,10 @@ func ResourceRole() *schema.Resource { State: resourceRoleImport, }, Schema: map[string]*schema.Schema{ + "arn": { + Type: schema.TypeString, + Computed: true, + }, "assume_role_policy": { Type: schema.TypeString, Required: true, @@ -50,10 +54,6 @@ func ResourceRole() *schema.Resource { return json }, }, - "arn": { - Type: schema.TypeString, - Computed: true, - }, "create_date": { Type: schema.TypeString, Computed: true, @@ -157,8 +157,7 @@ func ResourceRole() *schema.Resource { } } -func resourceRoleImport( - d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { +func resourceRoleImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { d.Set("force_detach_policies", false) return []*schema.ResourceData{d}, nil } @@ -752,16 +751,22 @@ func expandRoleInlinePolicy(roleName string, tfMap map[string]interface{}) *iam. return nil } - apiObject := &iam.PutRolePolicyInput{ - RoleName: aws.String(roleName), - } + apiObject := &iam.PutRolePolicyInput{} + + namePolicy := false if v, ok := tfMap["name"].(string); ok && v != "" { apiObject.PolicyName = aws.String(v) + namePolicy = true } if v, ok := tfMap["policy"].(string); ok && v != "" { apiObject.PolicyDocument = aws.String(v) + namePolicy = true + } + + if namePolicy { + apiObject.RoleName = aws.String(roleName) } return apiObject @@ -859,12 +864,14 @@ func readRoleInlinePolicies(roleName string, meta interface{}) ([]*iam.PutRolePo apiObjects = append(apiObjects, apiObject) } - if len(apiObjects) == 0 { - apiObjects = append(apiObjects, &iam.PutRolePolicyInput{ - PolicyDocument: aws.String(""), - PolicyName: aws.String(""), - }) - } + /* + if len(apiObjects) == 0 { + apiObjects = append(apiObjects, &iam.PutRolePolicyInput{ + PolicyDocument: aws.String(""), + PolicyName: aws.String(""), + }) + } + */ return apiObjects, nil } @@ -885,22 +892,28 @@ func inlinePoliciesActualDiff(d *schema.ResourceData) bool { osPolicies := expandRoleInlinePolicies(roleName, os.List()) nsPolicies := expandRoleInlinePolicies(roleName, ns.List()) - return !inlinePoliciesEquivalent(osPolicies, nsPolicies) + return !inlinePoliciesEquivalent(nsPolicies, osPolicies) } -func inlinePoliciesEquivalent(one, two []*iam.PutRolePolicyInput) bool { - if one == nil && two == nil { +func inlinePoliciesEquivalent(readPolicies, configPolicies []*iam.PutRolePolicyInput) bool { + if readPolicies == nil && configPolicies == nil { return true } - if len(one) != len(two) { + if len(readPolicies) == 0 && len(configPolicies) == 1 { + if equivalent, err := awspolicy.PoliciesAreEquivalent(`{}`, aws.StringValue(configPolicies[0].PolicyDocument)); err == nil && equivalent { + return true + } + } + + if len(readPolicies) != len(configPolicies) { return false } matches := 0 - for _, policyOne := range one { - for _, policyTwo := range two { + for _, policyOne := range readPolicies { + for _, policyTwo := range configPolicies { if aws.StringValue(policyOne.PolicyName) == aws.StringValue(policyTwo.PolicyName) { matches++ if equivalent, err := awspolicy.PoliciesAreEquivalent(aws.StringValue(policyOne.PolicyDocument), aws.StringValue(policyTwo.PolicyDocument)); err != nil || !equivalent { @@ -911,5 +924,5 @@ func inlinePoliciesEquivalent(one, two []*iam.PutRolePolicyInput) bool { } } - return matches == len(one) + return matches == len(readPolicies) } diff --git a/internal/service/iam/role_test.go b/internal/service/iam/role_test.go index 1498e4a39224..db2514e15774 100644 --- a/internal/service/iam/role_test.go +++ b/internal/service/iam/role_test.go @@ -46,7 +46,7 @@ func TestAccIAMRole_basic(t *testing.T) { }) } -func TestAccIAMRole_basicWithDescription(t *testing.T) { +func TestAccIAMRole_description(t *testing.T) { var conf iam.Role rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix) resourceName := "aws_iam_role.test" @@ -1038,28 +1038,21 @@ func testAccRoleConfig_maxSessionDuration(rName string, maxSessionDuration int) data "aws_partition" "current" {} resource "aws_iam_role" "test" { - name = "test-role-%s" + name = %[1]q path = "/" - max_session_duration = %d + max_session_duration = %[2]d - assume_role_policy = < Date: Fri, 8 Jul 2022 13:06:51 -0400 Subject: [PATCH 9/9] Fix changelog tyop --- .changelog/23060.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/23060.txt b/.changelog/23060.txt index 341fea91f725..06b093c876eb 100644 --- a/.changelog/23060.txt +++ b/.changelog/23060.txt @@ -3,5 +3,5 @@ resource/aws_iam_role: Fix diffs in `assume_role_policy` when there are no seman ``` ```release-note:bug -resource/aws_iam_role: Fix problem with exclusion management of inline and managed policies when empty (i.e., remove out-of-band policies) +resource/aws_iam_role: Fix problem with exclusive management of inline and managed policies when empty (i.e., remove out-of-band policies) ```