r/iam: fix refreshing permission_boundary state on users and roles

Closes hashicorp#16534

Author: lqc

.changelog/33963.txt

@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_iam_role: Fix refreshing `permission_boundary` when deleted outside of Terraform
+```
+
+```release-note:bug
+resource/aws_iam_user: Fix refreshing `permission_boundary` when deleted outside of Terraform
+```

internal/service/iam/role.go

@@ -292,6 +292,8 @@ func resourceRoleRead(ctx context.Context, d *schema.ResourceData, meta interfac
 	d.Set("path", role.Path)
 	if role.PermissionsBoundary != nil {
 		d.Set("permissions_boundary", role.PermissionsBoundary.PermissionsBoundaryArn)
+	} else {
+		d.Set("permissions_boundary", nil)
 	}
 	d.Set("unique_id", role.RoleId)
 

internal/service/iam/role_test.go

@@ -551,6 +551,27 @@ func TestAccIAMRole_permissionsBoundary(t *testing.T) {
 					testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1),
 				),
 			},
+			// Test drift detection
+			{
+				PreConfig: func() {
+					// delete the boundary manually
+					conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx)
+					input := &iam.DeleteRolePermissionsBoundaryInput{
+						RoleName: role.RoleName,
+					}
+					_, err := conn.DeleteRolePermissionsBoundaryWithContext(ctx, input)
+					if err != nil {
+						t.Fatalf("Failed to delete permission_boundary from role (%s): %s", aws.StringValue(role.RoleName), err)
+					}
+				},
+				Config: testAccRoleConfig_permissionsBoundary(rName, permissionsBoundary1),
+				// check the boundary was restored
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckRoleExists(ctx, resourceName, &role),
+					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
+					testAccCheckRolePermissionsBoundary(&role, permissionsBoundary1),
+				),
+			},
 			// Test empty value
 			{
 				Config: testAccRoleConfig_permissionsBoundary(rName, ""),

internal/service/iam/user.go

@@ -161,6 +161,8 @@ func resourceUserRead(ctx context.Context, d *schema.ResourceData, meta interfac
 	d.Set("path", user.Path)
 	if user.PermissionsBoundary != nil {
 		d.Set("permissions_boundary", user.PermissionsBoundary.PermissionsBoundaryArn)
+	} else {
+		d.Set("permissions_boundary", nil)
 	}
 	d.Set("unique_id", user.UserId)
 

internal/service/iam/user_test.go

@@ -413,6 +413,27 @@ func TestAccIAMUser_permissionsBoundary(t *testing.T) {
 					testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1),
 				),
 			},
+			// Test drift detection
+			{
+				PreConfig: func() {
+					// delete the boundary manually
+					conn := acctest.Provider.Meta().(*conns.AWSClient).IAMConn(ctx)
+					input := &iam.DeleteUserPermissionsBoundaryInput{
+						UserName: user.UserName,
+					}
+					_, err := conn.DeleteUserPermissionsBoundaryWithContext(ctx, input)
+					if err != nil {
+						t.Fatalf("Failed to delete permission_boundary from user (%s): %s", aws.StringValue(user.UserName), err)
+					}
+				},
+				Config: testAccUserConfig_permissionsBoundary(rName, permissionsBoundary1),
+				// check the boundary was restored
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckUserExists(ctx, resourceName, &user),
+					resource.TestCheckResourceAttr(resourceName, "permissions_boundary", permissionsBoundary1),
+					testAccCheckUserPermissionsBoundary(&user, permissionsBoundary1),
+				),
+			},
 			// Test empty value
 			{
 				Config: testAccUserConfig_permissionsBoundary(rName, ""),