aws-via-haskell icon indicating copy to clipboard operation
aws-via-haskell copied to clipboard
verified publisher icon rcook

Error due to DeleteRoleIfExists

Open ana-oprescu opened this issue 7 years ago • 1 comments

Hi,

First off, many thanks for this great framework!!! I've been playing with its Lambda demo and I get the following error due to DeleteRoleIfExists function, https://github.com/rcook/aws-via-haskell/blob/7635a319e8c2b26b53332b616e7dd02fa9e16cba/lambda/Main.hs#L190: *Main> main DeleteFunctionIfExists DetachRolePolicyIfExists DeleteRoleIfExists *** Exception: ServiceError (ServiceError' {_serviceAbbrev = Abbrev "IAM", _serviceStatus = Status {statusCode = 409, statusMessage = "Conflict"}, _serviceHeaders = [("x-amzn-RequestId","342fa443-0132-11e8-a753-691a83f812d3"),("Content-Type","text/xml"),("Content-Length","295"),("Date","Wed, 24 Jan 2018 18:12:56 GMT")], _serviceCode = ErrorCode "DeleteConflict", _serviceMessage = Just (ErrorMessage "Cannot delete entity, must delete policies first."), _serviceRequestId = Just (RequestId "342fa443-0132-11e8-a753-691a83f812d3")})

Commenting out the function invocation solves the issue and the rest of the app executes fine.

My setup is: ghci --version The Glorious Glasgow Haskell Compilation System, version 8.2.1 stack --version Version 1.6.3 x86_64 hpack-0.20.0 resolver: lts-9.14

ana-oprescu avatar Jan 24 '18 18:01 ana-oprescu

This repo is just a series of demo programs demonstrating how to use the [amazonka][https://github.com/brendanhay/amazonka] family of Haskell packages.

That failure indicates that some asynchronous process has not completed yet or that detaching the policy is not sufficient. You might be able to figure out what's up by consulting the AWS console to see if there are any policies lying around that shouldn't. To programmatically address this, you'd need to delete policies using the DeletePolicy command (see https://hackage.haskell.org/package/amazonka-iam-1.5.0/docs/Network-AWS-IAM-DeletePolicy.html) and deletePolicy smart constructor.

I can take you through the steps to write the code to do this:

Import the deletePolicy smart constructor function

Add this to the import list at the top of the module:

import Network.AWS.IAM (deletePolicy)

Create a doDeletePolicyIfExists function

This would look something like:

doDeletePolicyIfExists :: ARN -> IAMSession -> IO ()
doDeletePolicyfExists (ARN pn) = withAWS $ do
    handling _NoSuchEntityException (const $ pure ()) $ do
        void $ send $ deletePolicy pn

Evaluate this function in the appropriate place

Add a call to the awsSession function after the call to doDetachRolePolicyIfExists and before doDeleteRoleIfExists. If awsLambdaBasicExecutionRolePolicy is the offending policy that needs to be deleted, you call it as follows:

doDeletePolicyIfExists awsLambdaBasicExecutionRolePolicy iamSession

Notes

I haven't tested these suggestions yet but I will try to find some time to do it. Also note that deleting policy might be asynchronous in which case you'd need to wait until this action completes. There is no waiter for it under Network.AWS.IAM.Waiters which suggests that this operation is synchronous, so you (hopefully) won't need to do this.

rcook avatar Jan 24 '18 19:01 rcook