From c088d9313002fcbe08fcb86691bcadb7645cdbee Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Wed, 16 Mar 2022 11:18:23 +0000 Subject: [PATCH] IAM Role Removal Does Not Require Removal of Permission Boundary (#961) (#1000) [PR #961/e670b348 backport][stable-3] IAM Role Removal Does Not Require Removal of Permission Boundary This is a backport of PR #961 as merged into main (e670b34). SUMMARY Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. Fixes #959 ISSUE TYPE Bugfix Pull Request COMPONENT NAME iam_role --- ...le-should-not-remove-permission-boundary-before-deletion.yml | 2 ++ plugins/modules/iam_role.py | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/961-iam-role-should-not-remove-permission-boundary-before-deletion.yml diff --git a/changelogs/fragments/961-iam-role-should-not-remove-permission-boundary-before-deletion.yml b/changelogs/fragments/961-iam-role-should-not-remove-permission-boundary-before-deletion.yml new file mode 100644 index 00000000000..47dd88ed178 --- /dev/null +++ b/changelogs/fragments/961-iam-role-should-not-remove-permission-boundary-before-deletion.yml @@ -0,0 +1,2 @@ +bugfixes: + - iam_role - Removes unnecessary removal of permission boundary from a role when deleting a role. Unlike inline policies, permission boundaries do not need to be removed from an IAM role before deleting the IAM role. This behavior causes issues when a permission boundary is inherited that prevents removal of the permission boundary. (https://github.com/ansible-collections/community.aws/pull/961) diff --git a/plugins/modules/iam_role.py b/plugins/modules/iam_role.py index 7ca0d8c4fbb..15683e0e060 100644 --- a/plugins/modules/iam_role.py +++ b/plugins/modules/iam_role.py @@ -571,10 +571,8 @@ def destroy_role(): # Before we try to delete the role we need to remove any # - attached instance profiles # - attached managed policies - # - permissions boundary remove_instance_profiles(role_params, role) update_managed_policies(role_params, role, [], True) - update_role_permissions_boundary(boundary_params, role) try: if not module.check_mode: