aws - iam-role add ability to force on delete action (cloud-custodian#6446)

Author: vauchok

c7n/resources/iam.py

@@ -1106,6 +1106,17 @@ def detach_all_policies(self, client, resource):
 class RoleDelete(BaseAction):
     """Delete an IAM Role.
 
+    To delete IAM Role you must first delete the policies
+    that are associated with the role. Also, you need to remove
+    the role from all instance profiles that the role is in.
+
+    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html
+
+    For this case option 'force' is used. If you set it as 'true',
+    policies that are associated with the role would be detached
+    (inline policies would be removed) and all instance profiles
+    the role is in would be removed as well as the role.
+
     For example, if you want to automatically delete an unused IAM role.
 
     :example:
@@ -1124,7 +1135,7 @@ class RoleDelete(BaseAction):
 
     """
     schema = type_schema('delete', force={'type': 'boolean'})
-    permissions = ('iam:DeleteRole',)
+    permissions = ('iam:DeleteRole', 'iam:DeleteInstanceProfile',)
 
     def detach_inline_policies(self, client, r):
         policies = (self.manager.retry(
@@ -1136,6 +1147,26 @@ def detach_inline_policies(self, client, r):
                 RoleName=r['RoleName'], PolicyName=p,
                 ignore_err_codes=('NoSuchEntityException',))
 
+    def delete_instance_profiles(self, client, r):
+        # An instance profile can contain only one IAM role,
+        # although a role can be included in multiple instance profiles
+        profile_names = []
+        profiles = self.manager.retry(
+            client.list_instance_profiles_for_role,
+            RoleName=r['RoleName'],
+            ignore_err_codes=('NoSuchEntityException',))
+        if profiles:
+            profile_names = [p.get('InstanceProfileName') for p in profiles['InstanceProfiles']]
+        for p in profile_names:
+            self.manager.retry(
+                client.remove_role_from_instance_profile,
+                RoleName=r['RoleName'], InstanceProfileName=p,
+                ignore_err_codes=('NoSuchEntityException',))
+            self.manager.retry(
+                client.delete_instance_profile,
+                InstanceProfileName=p,
+                ignore_err_codes=('NoSuchEntityException',))
+
     def process(self, resources):
         client = local_session(self.manager.session_factory).client('iam')
         error = None
@@ -1147,12 +1178,13 @@ def process(self, resources):
         for r in resources:
             if self.data.get('force', False):
                 self.detach_inline_policies(client, r)
+                self.delete_instance_profiles(client, r)
             try:
                 client.delete_role(RoleName=r['RoleName'])
             except client.exceptions.DeleteConflictException as e:
                 self.log.warning(
                     ("Role:%s cannot be deleted, set force "
-                     "to detach policy and delete, error: %s") % (
+                     "to detach policy, instance profile and delete, error: %s") % (
                          r['Arn'], str(e)))
                 error = e
             except (client.exceptions.NoSuchEntityException,

tests/data/placebo/test_force_delete_role/iam.DeleteInstanceProfile_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_force_delete_role/iam.DeleteInstanceProfile_2.json

@@ -0,0 +1,21 @@
+{
+    "status_code": 404,
+    "data": {
+        "Error": {
+            "Type": "Sender",
+            "Code": "NoSuchEntity",
+            "Message": "Instance Profile test cannot be found."
+        },
+        "ResponseMetadata": {
+            "RequestId": "RequestId",
+            "HTTPStatusCode": 404,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "x-amzn-requestid",
+                "content-type": "text/xml",
+                "content-length": "282",
+                "date": "Mon, 15 Feb 2021 11:16:24 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_force_delete_role/iam.ListInstanceProfilesForRole_1.json

@@ -0,0 +1,17 @@
+{
+    "status_code": 200,
+    "data": {
+        "InstanceProfiles": [
+            {
+                "InstanceProfileName": "test_profile",
+                "Roles": [
+                    {
+                        "RoleName": "test_role"
+                    }
+                ]
+            }
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_force_delete_role/iam.ListInstanceProfilesForRole_2.json

@@ -0,0 +1,8 @@
+{
+    "status_code": 200,
+    "data": {
+        "InstanceProfiles": [],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_force_delete_role/iam.ListInstanceProfilesForRole_3.json

@@ -0,0 +1,21 @@
+{
+    "status_code": 404,
+    "data": {
+        "Error": {
+            "Type": "Sender",
+            "Code": "NoSuchEntity",
+            "Message": "The role with name test cannot be found."
+        },
+        "ResponseMetadata": {
+            "RequestId": "RequestId",
+            "HTTPStatusCode": 404,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "x-amzn-requestid",
+                "content-type": "text/xml",
+                "content-length": "284",
+                "date": "Mon, 15 Feb 2021 11:05:26 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_force_delete_role/iam.RemoveRoleFromInstanceProfile_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_force_delete_role/iam.RemoveRoleFromInstanceProfile_2.json

@@ -0,0 +1,21 @@
+{
+    "status_code": 404,
+    "data": {
+        "Error": {
+            "Type": "Sender",
+            "Code": "NoSuchEntity",
+            "Message": "The role with name test cannot be found."
+        },
+        "ResponseMetadata": {
+            "RequestId": "RequestId",
+            "HTTPStatusCode": 404,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "x-amzn-requestid",
+                "content-type": "text/xml",
+                "content-length": "284",
+                "date": "Mon, 15 Feb 2021 11:16:24 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_iam_role_delete/iam.DeleteInstanceProfile_1.json

@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_iam_role_delete/iam.DeleteInstanceProfile_2.json

@@ -0,0 +1,21 @@
+{
+    "status_code": 404,
+    "data": {
+        "Error": {
+            "Type": "Sender",
+            "Code": "NoSuchEntity",
+            "Message": "Instance Profile test cannot be found."
+        },
+        "ResponseMetadata": {
+            "RequestId": "RequestId",
+            "HTTPStatusCode": 404,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "x-amzn-requestid",
+                "content-type": "text/xml",
+                "content-length": "282",
+                "date": "Mon, 15 Feb 2021 11:16:24 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}