Attaching and detaching role tags now 2 distinct operations. Fixes to…

… role attribute value resolver on Role._apply_to_account.
noqdev · Aug 1, 2023 · c5cab58 · c5cab58
1 parent f7b9096
commit c5cab58
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/iambic/plugins/v0_1_0/aws/iam/role/models.py b/iambic/plugins/v0_1_0/aws/iam/role/models.py
@@ -315,17 +315,17 @@ async def _apply_to_account(  # noqa: C901
                 "MaxSessionDuration": "max_session_duration",
             }
             update_resource_log_params = {**log_params}
-            update_role_params = {}
+            update_role_keys = set()
             for k in supported_update_key_values.keys():
                 if account_role.get(k) is not None and account_role.get(
                     k
                 ) != current_role.get(k):
                     update_resource_log_params[k] = dict(
                         old_value=current_role.get(k), new_value=account_role.get(k)
                     )
-                    update_role_params[k] = current_role.get(k)
+                    update_role_keys.add(k)
 
-            if update_role_params:
+            if update_role_keys:
                 log_str = "Out of date resource found."
                 if ctx.execute:
                     log.debug(
@@ -339,13 +339,13 @@ async def update_role():
                             await boto_crud_call(
                                 client.update_role,
                                 RoleName=role_name,
-                                **update_role_params,
+                                **{key: account_role[key] for key in update_role_keys},
                             )
                         except Exception as e:
                             exceptions.append(str(e))
 
                         proposed_role_changes = []
-                        for key in update_role_params.keys():
+                        for key in update_role_keys:
                             proposed_role_changes.append(
                                 ProposedChange(
                                     attribute=key,
@@ -362,7 +362,7 @@ async def update_role():
                     tasks.append(update_role())
                 else:
                     log.debug(log_str, **update_resource_log_params)
-                    for key in update_role_params.keys():
+                    for key in update_role_keys:
                         account_change_details.proposed_changes.append(
                             ProposedChange(
                                 attribute=key,

diff --git a/iambic/plugins/v0_1_0/aws/iam/role/utils.py b/iambic/plugins/v0_1_0/aws/iam/role/utils.py
@@ -214,6 +214,14 @@ async def untag_role():
 
         log.debug(log_str, tags=tags_to_remove, **log_params)
 
+        if tasks:
+            results: list[list[ProposedChange]] = await asyncio.gather(
+                *tasks, return_exceptions=True
+            )
+            for r in results:
+                response.extend(r)
+
+    tasks = []
     if tags_to_apply:
         log_str = "New tags discovered in AWS."