Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam_managed_policy - Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn #2067

Closed
1 task done
vonschultz opened this issue Apr 29, 2024 · 3 comments · Fixed by #2068
Closed
1 task done

iam_managed_policy - Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn #2067

vonschultz opened this issue Apr 29, 2024 · 3 comments · Fixed by #2068
Labels
needs_triage

Comments

@vonschultz
Copy link

Summary

According to the documentation of amazon.aws.iam_managed_policy it should be possible to remove an existing IAM Managed Policy by just giving the name and the state absent to iam_managed_policy and this worked fine when running Ansible 9.3.0:

ansible localhost -m amazon.aws.iam_managed_policy -a "name=EC2-instance-S3-access state=absent"

After upgrading to Ansible 9.5.1, it gives the following error:

fatal: [localhost]: FAILED! => changed=false 
  boto3_version: 1.34.93
  botocore_version: 1.34.93
  msg: |-
    Failed to detach role policy: Parameter validation failed:
    Missing required parameter in input: "GroupName"
    Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn

Issue Type

Bug Report

Component Name

iam_managed_policy

Ansible Version

$ ansible --version
ansible [core 2.16.6]
  config file = /home/von/.ansible.cfg
  configured module search path = ['/home/von/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/von/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/von/src/embedl/ci/provisioning/.tox/ansible/bin/ansible
  python version = 3.10.14 (main, Apr  6 2024, 18:45:05) [GCC 9.4.0] (/home/von/src/embedl/ci/provisioning/.tox/ansible/bin/python)
  jinja version = 3.1.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

# /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/ansible_collections
Collection                               Version
---------------------------------------- -------
amazon.aws                               7.5.0  
ansible.netcommon                        5.3.0  
ansible.posix                            1.5.4  
ansible.utils                            2.12.0 
ansible.windows                          2.3.0  
arista.eos                               6.2.2  
awx.awx                                  23.9.0 
azure.azcollection                       1.19.0 
check_point.mgmt                         5.2.3  
chocolatey.chocolatey                    1.5.1  
cisco.aci                                2.9.0  
cisco.asa                                4.0.3  
cisco.dnac                               6.13.3 
cisco.intersight                         2.0.8  
cisco.ios                                5.3.0  
cisco.iosxr                              6.1.1  
cisco.ise                                2.8.1  
cisco.meraki                             2.18.0 
cisco.mso                                2.6.0  
cisco.nxos                               5.3.0  
cisco.ucs                                1.10.0 
cloud.common                             2.1.4  
cloudscale_ch.cloud                      2.3.1  
community.aws                            7.2.0  
community.azure                          2.0.0  
community.ciscosmb                       1.0.7  
community.crypto                         2.19.0 
community.digitalocean                   1.26.0 
community.dns                            2.9.0  
community.docker                         3.9.0  
community.general                        8.6.0  
community.grafana                        1.8.0  
community.hashi_vault                    6.2.0  
community.hrobot                         1.9.2  
community.library_inventory_filtering_v1 1.0.1  
community.libvirt                        1.3.0  
community.mongodb                        1.7.3  
community.mysql                          3.9.0  
community.network                        5.0.2  
community.okd                            2.3.0  
community.postgresql                     3.4.0  
community.proxysql                       1.5.1  
community.rabbitmq                       1.3.0  
community.routeros                       2.15.0 
community.sap                            2.0.0  
community.sap_libs                       1.4.2  
community.sops                           1.6.7  
community.vmware                         4.3.0  
community.windows                        2.2.0  
community.zabbix                         2.3.1  
containers.podman                        1.13.0 
cyberark.conjur                          1.2.2  
cyberark.pas                             1.0.25 
dellemc.enterprise_sonic                 2.4.0  
dellemc.openmanage                       8.7.0  
dellemc.powerflex                        2.3.0  
dellemc.unity                            1.7.1  
f5networks.f5_modules                    1.28.0 
fortinet.fortimanager                    2.4.0  
fortinet.fortios                         2.3.6  
frr.frr                                  2.0.2  
gluster.gluster                          1.0.2  
google.cloud                             1.3.0  
grafana.grafana                          2.2.5  
hetzner.hcloud                           2.5.0  
hpe.nimble                               1.1.4  
ibm.qradar                               2.1.0  
ibm.spectrum_virtualize                  2.0.0  
ibm.storage_virtualize                   2.3.1  
infinidat.infinibox                      1.4.5  
infoblox.nios_modules                    1.6.1  
inspur.ispim                             2.2.0  
inspur.sm                                2.3.0  
junipernetworks.junos                    5.3.1  
kubernetes.core                          2.4.2  
lowlydba.sqlserver                       2.3.2  
lvrfrc87.git_acp                         2.2.0  
microsoft.ad                             1.5.0  
netapp.aws                               21.7.1 
netapp.azure                             21.10.1
netapp.cloudmanager                      21.22.1
netapp.elementsw                         21.7.0 
netapp.ontap                             22.11.0
netapp.storagegrid                       21.12.0
netapp.um_info                           21.8.1 
netapp_eseries.santricity                1.4.0  
netbox.netbox                            3.17.0 
ngine_io.cloudstack                      2.3.0  
ngine_io.exoscale                        1.1.0  
openstack.cloud                          2.2.0  
openvswitch.openvswitch                  2.1.1  
ovirt.ovirt                              3.2.0  
purestorage.flasharray                   1.27.0 
purestorage.flashblade                   1.17.0 
purestorage.fusion                       1.6.1  
sensu.sensu_go                           1.14.0 
splunk.es                                2.1.2  
t_systems_mms.icinga_director            2.0.1  
telekom_mms.icinga_director              1.35.0 
theforeman.foreman                       3.15.0 
vmware.vmware_rest                       2.3.1  
vultr.cloud                              1.12.1 
vyos.vyos                                4.1.0  
wti.remote                               1.0.5

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages
Requires: 
Required-by: 
---
Name: boto3
Version: 1.34.93
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.34.93
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = /home/von/.ansible.cfg
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/von/.ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/home/von/.ansible.cfg) = yaml
DEFAULT_VAULT_IDENTITY_LIST(/home/von/.ansible.cfg) = ['prod@/home/von/.config/ansible-prod-vault.txt', 'stage@/home/von/.config/ansible-stage-vault.txt', 'train@/home/von/.config/ansible-train-vault']
EDITOR(env: EDITOR) = emacsclient -t

OS / Environment

Ubuntu 20.04

Steps to Reproduce

  1. Create managed policy named EC2-instance-S3-access.
  2. Run
ansible localhost -m amazon.aws.iam_managed_policy -a "name=EC2-instance-S3-access state=absent"

Expected Results

No errors, the policy disappears.

Actual Results

Including -vvv (but changing AWS account id to 1234... to be on the safe side):

ansible [core 2.16.6]
  config file = /home/von/.ansible.cfg
  configured module search path = ['/home/von/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/von/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/von/src/embedl/ci/provisioning/.tox/ansible/bin/ansible
  python version = 3.10.14 (main, Apr  6 2024, 18:45:05) [GCC 9.4.0] (/home/von/src/embedl/ci/provisioning/.tox/ansible/bin/python)
  jinja version = 3.1.3
  libyaml = True
Using /home/von/.ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: __adhoc_playbook__ *************************************************************************************************************************************************************************************************************************************************************

PLAY [Ansible Ad-Hoc] ********************************************************************************************************************************************************************************************************************************************************************

TASK [amazon.aws.iam_managed_policy] *****************************************************************************************************************************************************************************************************************************************************
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: von
<127.0.0.1> EXEC /bin/sh -c 'echo ~von && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/von/.ansible/tmp `"&& mkdir "` echo /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556 `" && echo ansible-tmp-1714402600.9953697-2856771-30855472610556="` echo /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556 `" ) && sleep 0'
Using module file /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/ansible_collections/amazon/aws/plugins/modules/iam_managed_policy.py
<127.0.0.1> PUT /home/von/.ansible/tmp/ansible-local-285675371rec378/tmp2gnpc2ap TO /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556/AnsiballZ_iam_managed_policy.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556/ /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556/AnsiballZ_iam_managed_policy.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/von/src/embedl/ci/provisioning/.tox/ansible/bin/python /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556/AnsiballZ_iam_managed_policy.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/von/.ansible/tmp/ansible-tmp-1714402600.9953697-2856771-30855472610556/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 42, in handler
    return func(*args, **kwargs)
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 98, in handler
    return func(*args, **kwargs)
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
    return _retry_func(
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
    return func()
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/iam.py", line 52, in detach_iam_role_policy
    client.detach_group_policy(PolicyArn=arn, RoleName=role)
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 107, in deciding_wrapper
    return unwrapped(*args, **kwargs)
  File "/home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/botocore/client.py", line 974, in _make_api_call
    request_dict = self._convert_to_request_dict(
  File "/home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/botocore/client.py", line 1048, in _convert_to_request_dict
    request_dict = self._serializer.serialize_to_request(
  File "/home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.10/site-packages/botocore/validate.py", line 381, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Missing required parameter in input: "GroupName"
Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_managed_policy.py", line 481, in main
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 42, in handler
    return func(*args, **kwargs)
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 98, in handler
    return func(*args, **kwargs)
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_managed_policy.py", line 434, in delete_policy
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_managed_policy.py", line 306, in detach_all_entities
  File "/tmp/ansible_amazon.aws.iam_managed_policy_payload_t07sy9wu/ansible_amazon.aws.iam_managed_policy_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 46, in handler
    raise cls._CUSTOM_EXCEPTION(message=f"Failed to {description}", exception=e) from e
ansible_collections.amazon.aws.plugins.module_utils.iam.AnsibleIAMError: Failed to detach role policy: Parameter validation failed:
Missing required parameter in input: "GroupName"
Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn
fatal: [localhost]: FAILED! => changed=false 
  boto3_version: 1.34.93
  botocore_version: 1.34.93
  invocation:
    module_args:
      access_key: null
      aws_ca_bundle: null
      aws_config: null
      debug_botocore_endpoint_logs: false
      description: null
      endpoint_url: null
      make_default: true
      name: EC2-instance-S3-access
      only_version: false
      path: null
      policy: null
      profile: AdministratorAccess-123456789012
      purge_tags: true
      region: null
      secret_key: null
      session_token: null
      state: absent
      tags: null
      validate_certs: true
  msg: |-
    Failed to detach role policy: Parameter validation failed:
    Missing required parameter in input: "GroupName"
    Unknown parameter in input: "RoleName", must be one of: GroupName, PolicyArn

PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@vonschultz
Copy link
Author

One more thing that I didn't realize when I gave my example: There's a role with the policy as well. A fuller example involving both the create and destroy steps would be

- hosts: localhost
  tasks:
    - amazon.aws.iam_managed_policy:
        policy_name: DeleteMePolicy
        policy: "{{ delete_me_policy | to_json }}"
        state: present
    - amazon.aws.iam_role:
        assume_role_policy_document: "{{ assume_role_policy | to_json }}"
        managed_policies:
          - DeleteMePolicy
        name: delete-me-access-role
        wait: true
    - amazon.aws.iam_managed_policy:
        policy_name: DeleteMePolicy
        state: absent
  vars:
    assume_role_policy:
      Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
              - ec2.amazonaws.com
      Version: '2012-10-17'
    delete_me_policy:
      Statement:
        - Action: s3:PutObject
          Effect: Allow
          Resource: "arn:aws:s3:::*/ec2_instances/${aws:userid}/*"
          Sid: VisualEditor0
      Version: '2012-10-17'

This works fine on Ansible 9.3.0, but fails on Ansible 9.5.1.

@tremble
Copy link
Contributor

tremble commented Apr 30, 2024

@vonschultz Thanks for this, I've found the copy and paste failure that's triggered this.

@tremble tremble mentioned this issue Apr 30, 2024
Merged
softwarefactory-project-zuul bot pushed a commit that referenced this issue Apr 30, 2024
@tremble
iam_managed_policy - fix copy and paste mistake which results in Para…
970c303 
…mValidationError during policy deletion (#2068)

iam_managed_policy - fix ParamValidationError during policy deletion

SUMMARY
fixes: #2067
Introduced by #1998
A copy and paste mistake in #1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
iam_managed_policy
plugins/module_utils/iam.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis
patchback bot pushed a commit that referenced this issue Apr 30, 2024
@tremble @patchback
iam_managed_policy - fix copy and paste mistake which results in Para…
97dbccc 
…mValidationError during policy deletion (#2068)

iam_managed_policy - fix ParamValidationError during policy deletion

SUMMARY
fixes: #2067
Introduced by #1998
A copy and paste mistake in #1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
iam_managed_policy
plugins/module_utils/iam.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis
(cherry picked from commit 970c303)
@patchback patchback bot mentioned this issue Apr 30, 2024
Merged
softwarefactory-project-zuul bot pushed a commit that referenced this issue Apr 30, 2024
@patchback
iam_managed_policy - fix copy and paste mistake which results in Para…
2db7202 
…mValidationError during policy deletion (#2068) (#2071)

[PR #2068/970c3032 backport][stable-7] iam_managed_policy - fix ParamValidationError during policy deletion

This is a backport of PR #2068 as merged into main (970c303).
SUMMARY
fixes: #2067
Introduced by #1998
A copy and paste mistake in #1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
iam_managed_policy
plugins/module_utils/iam.py
ADDITIONAL INFORMATION

Reviewed-by: Mark Chappell
@tremble
Copy link
Contributor

tremble commented May 2, 2024

@vonschultz, the fix has now been merged. We hope to release 7.6.0 in about 1 weeks time, at which point you should be able to pull the update from galaxy.ansible.com.

abraverm pushed a commit to abraverm/amazon.aws that referenced this issue May 2, 2024
@tremble @abraverm
iam_managed_policy - fix copy and paste mistake which results in Para…
d358717 
…mValidationError during policy deletion (ansible-collections#2068)

iam_managed_policy - fix ParamValidationError during policy deletion

SUMMARY
fixes: ansible-collections#2067
Introduced by ansible-collections#1998
A copy and paste mistake in ansible-collections#1998 resulted in ParamValidationErrors being triggered when deleting a managed policy which is still attached to a role or user.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
iam_managed_policy
plugins/module_utils/iam.py
ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

iam_managed_policy - fix ParamValidationError during policy deletion tremble/amazon.aws
2 participants
@tremble @vonschultz