iam_role not idempotent #70161
Labels
affects_2.9
This issue/PR affects Ansible v2.9
aws
bug
This issue/PR relates to a bug.
cloud
collection:community.aws
collection
Related to Ansible Collections work
module
This issue/PR relates to a module.
needs_collection_redirect
https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md
python3
support:community
This issue/PR relates to code supported by the Ansible community.
traceback
This issue/PR includes a traceback.
SUMMARY
If I try to create an IAM role, I can.
When I run the task a second time, it fails, because I don't have
iam:UpdateAssumeRolePolicy
permissions in my IAM role.But if the role policy document hasn't changed, I shouldn't need
iam:UpdateAssumeRolePolicy
.ISSUE TYPE
COMPONENT NAME
iam_role
ANSIBLE VERSION
Note that I tried to reproduce this off the
devel
branch, but gotIt seems that all the cloud modules have been removed from
devel
?link
Is that deliberate?
CONFIGURATION
OS / ENVIRONMENT
Amazon Linux
STEPS TO REPRODUCE
Run this playbook twice, running this as an IAM role with
iam:UpdateAssumeRolePolicy
denied.EXPECTED RESULTS
The playbook should succeed. The first run creates the role. The second run does nothing,
ACTUAL RESULTS
The first run successfully creates the role.
When I try the second time:
I wondered whether it's because
assume_role_policy_document
converts the yaml to json in a non-deterministic way. When I extracted that policy into json and didlookup('file', 'policy.json')
, the result is the same. So I don't think that's the cause.The text was updated successfully, but these errors were encountered: