chore(e2e): Address issue with deleting roles/policies (#5646) (#5648)

hc-github-team-secure-boundary · moduli · web-flow · commit c2b6c570c7d8 · 2025-04-15T18:00:53.000-04:00
On destroy, there was an issue with deleting IAM roles due to the following error: DeleteConflict: Cannot delete entity, must detach all policies first This commit adds an option to force the policy detachment, preventing the error. (cherry picked from commit 4304ec0) # Conflicts: # enos/modules/aws_vault/iam.tf Co-authored-by: Michael Li <michael.li@hashicorp.com>
diff --git a/enos/modules/aws_boundary/iam.tf b/enos/modules/aws_boundary/iam.tf
@@ -32,8 +32,9 @@ data "aws_iam_policy_document" "boundary_profile" {
 }
 
 resource "aws_iam_role" "boundary_instance_role" {
-  name               = "boundary_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json
+  name                  = "boundary_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.boundary_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "boundary_profile" {
diff --git a/enos/modules/aws_vault/iam.tf b/enos/modules/aws_vault/iam.tf
@@ -36,8 +36,9 @@ data "aws_iam_policy_document" "vault_profile" {
 }
 
 resource "aws_iam_role" "vault_instance_role" {
-  name               = "vault_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json
+  name                  = "vault_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.vault_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "vault_profile" {
diff --git a/enos/modules/aws_worker/iam.tf b/enos/modules/aws_worker/iam.tf
@@ -58,8 +58,9 @@ data "aws_iam_policy_document" "combined_policy_document" {
 }
 
 resource "aws_iam_role" "boundary_instance_role" {
-  name               = "boundary_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json
+  name                  = "boundary_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.boundary_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "boundary_profile" {

Original file line number	Diff line number	Diff line change
`@@ -32,8 +32,9 @@ data "aws_iam_policy_document" "boundary_profile" {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`resource "aws_iam_role" "boundary_instance_role" {`
`35`		`- name = "boundary_instance_role-${random_string.cluster_id.result}"`
`36`		`- assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`35`	`+ name = "boundary_instance_role-${random_string.cluster_id.result}"`
	`36`	`+ assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`37`	`+ force_detach_policies = true`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`resource "aws_iam_instance_profile" "boundary_profile" {`
Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,9 @@ data "aws_iam_policy_document" "vault_profile" {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`resource "aws_iam_role" "vault_instance_role" {`
`39`		`- name = "vault_instance_role-${random_string.cluster_id.result}"`
`40`		`- assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json`
	`39`	`+ name = "vault_instance_role-${random_string.cluster_id.result}"`
	`40`	`+ assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json`
	`41`	`+ force_detach_policies = true`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`resource "aws_iam_instance_profile" "vault_profile" {`
Original file line number	Diff line number	Diff line change
`@@ -58,8 +58,9 @@ data "aws_iam_policy_document" "combined_policy_document" {`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`resource "aws_iam_role" "boundary_instance_role" {`
`61`		`- name = "boundary_instance_role-${random_string.cluster_id.result}"`
`62`		`- assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`61`	`+ name = "boundary_instance_role-${random_string.cluster_id.result}"`
	`62`	`+ assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`63`	`+ force_detach_policies = true`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`resource "aws_iam_instance_profile" "boundary_profile" {`