Patchwork D6284: automation: detach policies before deleting role

login
register
mail settings
Submitter phabricator
Date April 19, 2019, 12:20 p.m.
Message ID <differential-rev-PHID-DREV-qjay6csy3fj3glnvt37e-req@phab.mercurial-scm.org>
Download mbox | patch
Permalink /patch/39763/
State Superseded
Headers show

Comments

phabricator - April 19, 2019, 12:20 p.m.
indygreg created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  You can't delete an IAM role that has attached policies.
  
  With this change, the purge-ec2-resources command now works.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D6284

AFFECTED FILES
  contrib/automation/hgautomation/aws.py

CHANGE DETAILS




To: indygreg, #hg-reviewers
Cc: mercurial-devel

Patch

diff --git a/contrib/automation/hgautomation/aws.py b/contrib/automation/hgautomation/aws.py
--- a/contrib/automation/hgautomation/aws.py
+++ b/contrib/automation/hgautomation/aws.py
@@ -505,6 +505,10 @@ 
 
     for role in iamresource.roles.all():
         if role.name.startswith(prefix):
+            for p in role.attached_policies.all():
+                print('detaching policy %s from %s' % (p.arn, role.name))
+                role.detach_policy(PolicyArn=p.arn)
+
             print('removing role %s' % role.name)
             role.delete()