Merge branch 'main' into test_ruff

Author: alinabuzachis

changelogs/fragments/2067-iam_managed_policy-delete.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - iam_managed_policy - fixes bug that causes ``ParamValidationError`` when attempting to delete a policy that's attached to a role or a user (https://github.com/ansible-collections/amazon.aws/issues/2067).

plugins/module_utils/iam.py

@@ -49,14 +49,14 @@ def detach_iam_group_policy(client, arn, group):
 @IAMErrorHandler.deletion_error_handler("detach role policy")
 @AWSRetry.jittered_backoff()
 def detach_iam_role_policy(client, arn, role):
-    client.detach_group_policy(PolicyArn=arn, RoleName=role)
+    client.detach_role_policy(PolicyArn=arn, RoleName=role)
     return True
 
 
 @IAMErrorHandler.deletion_error_handler("detach user policy")
 @AWSRetry.jittered_backoff()
 def detach_iam_user_policy(client, arn, user):
-    client.detach_group_policy(PolicyArn=arn, UserName=user)
+    client.detach_user_policy(PolicyArn=arn, UserName=user)
     return True
 
 

tests/integration/targets/iam_managed_policy/defaults/main.yml

@@ -2,3 +2,6 @@
 policy_name: "{{ resource_prefix }}-policy"
 policy_path: "/ansible-test-{{ tiny_prefix }}/"
 policy_description: "An example Managed Policy description"
+test_role: "{{ resource_prefix }}-mp-role"
+test_user: "{{ resource_prefix }}-mp-user"
+test_group: "{{ resource_prefix }}-mp-group"

tests/integration/targets/iam_managed_policy/files/deny-assume.json

@@ -0,0 +1,10 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": { "Service": "ec2.amazonaws.com" },
+            "Effect": "Deny"
+        }
+    ]
+}

tests/integration/targets/iam_managed_policy/tasks/main.yml

@@ -9,6 +9,21 @@
   collections:
     - amazon.aws
   block:
+    - name: Create IAM group
+      amazon.aws.iam_group:
+        name: "{{ test_group }}"
+        state: present
+    - name: Create IAM user
+      amazon.aws.iam_user:
+        name: "{{ test_user }}"
+        state: present
+    - name: Create IAM role
+      amazon.aws.iam_role:
+        name: "{{ test_role }}"
+        assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
+        create_instance_profile: false
+        state: present
+
     ## Test policy creation
     - name: Create IAM managed policy - check mode
       amazon.aws.iam_managed_policy:
@@ -448,14 +463,60 @@
           - result.policy.tags["Tag C"] == "Value C"
           - result.policy.tags["tag d"] == "value d"
 
+    - name: Attach managed policy to group
+      amazon.aws.iam_group:
+        name: "{{ test_group }}"
+        state: present
+        managed_policies:
+          - "{{ policy_name }}"
+    - name: Attach managed policy to user
+      amazon.aws.iam_user:
+        name: "{{ test_user }}"
+        state: present
+        managed_policies:
+          - "{{ policy_name }}"
+    - name: Attach managed policy to role
+      amazon.aws.iam_role:
+        name: "{{ test_role }}"
+        state: present
+        assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
+        managed_policies:
+          - "{{ policy_name }}"
+
     - name: Delete IAM managed policy
       amazon.aws.iam_managed_policy:
         policy_name: "{{ policy_name }}"
         state: absent
 
+    - name: Delete IAM group
+      amazon.aws.iam_group:
+        name: "{{ test_group }}"
+        state: absent
+    - name: Delete IAM user
+      amazon.aws.iam_user:
+        name: "{{ test_user }}"
+        state: absent
+    - name: Delete IAM role
+      amazon.aws.iam_role:
+        name: "{{ test_role }}"
+        state: absent
+
   always:
     - name: Delete IAM managed policy
       amazon.aws.iam_managed_policy:
         policy_name: "{{ policy_name }}"
         state: absent
       ignore_errors: true # noqa: ignore-errors
+
+    - name: Delete IAM group
+      amazon.aws.iam_group:
+        name: "{{ test_group }}"
+        state: absent
+    - name: Delete IAM user
+      amazon.aws.iam_user:
+        name: "{{ test_user }}"
+        state: absent
+    - name: Delete IAM role
+      amazon.aws.iam_role:
+        name: "{{ test_role }}"
+        state: absent