r/iam_role: Delete inline policies when force_detach_policies = true

[atsushi-ishibashi]

Fix: #2279

[atsushi-ishibashi]

make testacc TEST=./aws TESTARGS='-run=TestAccAWSIAMRole_force_detach_policies'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSIAMRole_force_detach_policies -timeout 120m
=== RUN   TestAccAWSIAMRole_force_detach_policies
--- PASS: TestAccAWSIAMRole_force_detach_policies (40.95s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	41.050s

[atsushi-ishibashi]

the current force_detach_policies use ListAttachedRolePolicies to find policies which will be deatached.
But ListRolePolicies says

Lists the names of the inline policies that are embedded in the specified IAM role.
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies.

So when inlined policies are attached to role, you got error DeleteConflict: Cannot delete entity, must detach all policies first. even though force_detach_policies=true

In this PR, delete inline policies when force_detach_policies=true. I wonder if force_detach_policies is appropriate because it will delete inline policies...

[aleybovich]

@atsushi-ishibashi force_detach_policies is definitely appropriate - the idea of that flag is to be able to destroy a role with policies attached, no matter whether they are inline or separate.

[radeksimko]

Technically we're not really testing the new functionality here IMO, because the policy will get destroyed first due to its relationship and force_destroy won't get chance to ever take action.
I think we'd need to remove those policies from state as part of the test in order to verify it actually works.

[atsushi-ishibashi]

That's right👍
But I couldn't have an idea to realize it... Could you give me advice?

[radeksimko]

So I think the easier way is to add policies outside of the config, instead of removing them from state. We could add testAccAddAWSIAMRolePolicy("aws_iam_role.test") to your new test:

		Steps: []resource.TestStep{
			{
				Config: testAccAWSIAMRoleConfig_force_detach_policies(rName),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSRoleExists("aws_iam_role.test", &conf),
					testAccAddAWSIAMRolePolicy("aws_iam_role.test"),
				),
			},
		},

which would just call the API to add a policy outside of any Terraform CRUD.

Testing framework will then attempt to destroy the role and exercise this new functionality.

[radeksimko]

Aren't we going to miss some policies here potentially due to pagination? How do you feel about using ListRolePoliciesPages instead?

[atsushi-ishibashi]

@radeksimko Ok👍

TF_ACC=1 go test ./aws -v -run=TestAccAWSIAMRole_force_detach_policies -timeout 120m
=== RUN   TestAccAWSIAMRole_force_detach_policies
--- PASS: TestAccAWSIAMRole_force_detach_policies (56.40s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	56.439s

[radeksimko]

LGTM, thanks.

[bflad]

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!