Changing the IAM Role resource to allow update of Assume Policy Document

hashicorp · Nov 30, 2015 · 245951c · 245951c
1 parent c073c1f
commit 245951c
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/builtin/providers/aws/resource_aws_iam_role.go b/builtin/providers/aws/resource_aws_iam_role.go
@@ -15,8 +15,7 @@ func resourceAwsIamRole() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsIamRoleCreate,
 		Read:   resourceAwsIamRoleRead,
-		// TODO
-		//Update: resourceAwsIamRoleUpdate,
+		Update: resourceAwsIamRoleUpdate,
 		Delete: resourceAwsIamRoleDelete,
 
 		Schema: map[string]*schema.Schema{
@@ -55,7 +54,6 @@ func resourceAwsIamRole() *schema.Resource {
 			"assume_role_policy": &schema.Schema{
 				Type:     schema.TypeString,
 				Required: true,
-				ForceNew: true,
 			},
 		},
 	}
@@ -95,6 +93,26 @@ func resourceAwsIamRoleRead(d *schema.ResourceData, meta interface{}) error {
 	}
 	return resourceAwsIamRoleReadResult(d, getResp.Role)
 }
+func resourceAwsIamRoleUpdate(d *schema.ResourceData, meta interface{}) error {
+	iamconn := meta.(*AWSClient).iamconn
+
+	if d.HasChange("assume_role_policy") {
+		assumeRolePolicyInput := &iam.UpdateAssumeRolePolicyInput{
+			RoleName:       aws.String(d.Id()),
+			PolicyDocument: aws.String(d.Get("assume_role_policy").(string)),
+		}
+		_, err := iamconn.UpdateAssumeRolePolicy(assumeRolePolicyInput)
+		if err != nil {
+			if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me
+				d.SetId("")
+				return nil
+			}
+			return fmt.Errorf("Error Updating IAM Role (%s) Assume Role Policy: %s", d.Id(), err)
+		}
+	}
+
+	return nil
+}
 
 func resourceAwsIamRoleReadResult(d *schema.ResourceData, role *iam.Role) error {
 	d.SetId(*role.RoleName)