# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1555676143 25200
# Node ID fcb97cb91ff8e9c27f80a1c58662afd33eed0bec
# Parent  730edbd836d8892cb7da6d44d1f68f58e9532fb1
automation: detach policies before deleting role

You can't delete an IAM role that has attached policies.

With this change, the purge-ec2-resources command now works.

Differential Revision: https://phab.mercurial-scm.org/D6284

diff -r 730edbd836d8 -r fcb97cb91ff8 contrib/automation/hgautomation/aws.py
--- a/contrib/automation/hgautomation/aws.py	Fri Apr 19 05:07:44 2019 -0700
+++ b/contrib/automation/hgautomation/aws.py	Fri Apr 19 05:15:43 2019 -0700
@@ -505,6 +505,10 @@
 
     for role in iamresource.roles.all():
         if role.name.startswith(prefix):
+            for p in role.attached_policies.all():
+                print('detaching policy %s from %s' % (p.arn, role.name))
+                role.detach_policy(PolicyArn=p.arn)
+
             print('removing role %s' % role.name)
             role.delete()