iam_password_policy: boto expects pw_expire to be ommitted when setting no expiration requirements (#59848)

Fixes #59102
2019-07-31 18:03:30 +02:00 · 2019-07-31 18:03:30 +02:00 · 934d25a820
commit 934d25a820
parent 3eeaf2f974
2 changed files with 18 additions and 12 deletions
--- a/changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml
+++ b/changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - iam_password_policy - Fix AWS/boto3 errors when setting no password expiration
--- a/lib/ansible/modules/cloud/amazon/iam_password_policy.py
+++ b/lib/ansible/modules/cloud/amazon/iam_password_policy.py
@ -61,7 +61,8 @@ options:
    aliases: [allow_password_change]
  pw_max_age:
    description:
-      - Maximum age for a password in days.
+      - Maximum age for a password in days. When this option is 0 then passwords
+        do not expire automatically.
    default: 0
    aliases: [password_max_age]
  pw_reuse_prevent:
@ -127,18 +128,21 @@ class IAMConnection(object):
        pw_reuse_prevent = module.params.get('pw_reuse_prevent')
        pw_expire = module.params.get('pw_expire')

+        update_parameters = dict(
+            MinimumPasswordLength=min_pw_length,
+            RequireSymbols=require_symbols,
+            RequireNumbers=require_numbers,
+            RequireUppercaseCharacters=require_uppercase,
+            RequireLowercaseCharacters=require_lowercase,
+            AllowUsersToChangePassword=allow_pw_change,
+            PasswordReusePrevention=pw_reuse_prevent,
+            HardExpiry=pw_expire
+        )
+        if pw_max_age:
+            update_parameters.update(MaxPasswordAge=pw_max_age)
+
        try:
-            results = policy.update(
-                MinimumPasswordLength=min_pw_length,
-                RequireSymbols=require_symbols,
-                RequireNumbers=require_numbers,
-                RequireUppercaseCharacters=require_uppercase,
-                RequireLowercaseCharacters=require_lowercase,
-                AllowUsersToChangePassword=allow_pw_change,
-                MaxPasswordAge=pw_max_age,
-                PasswordReusePrevention=pw_reuse_prevent,
-                HardExpiry=pw_expire
-            )
+            results = policy.update(**update_parameters)
            policy.reload()
        except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
            self.module.fail_json_aws(e, msg="Couldn't update IAM Password Policy")