Improve authentication approach for sqs client

Author: manachyn

dist/aws-iam/MANIFEST

@@ -1,4 +1,3 @@
 REPO aws-iam
-VERSION_HASH 827128c5086a
-LOAD iam-policy.yaml iam-role.yaml base.yaml common.yaml
-RESOURCES common.js iam-role-sync.js base.js iam-policy-sync.js
+LOAD iam-policy.yaml base.yaml common.yaml iam-role.yaml iam-user.yaml
+RESOURCES common.js iam-user-sync.js iam-policy-sync.js iam-role-sync.js base.js

dist/aws-iam/base.yaml

@@ -2,6 +2,4 @@ namespace: aws-iam
 
 base:
   defines: module
-  metadata:
-    version-hash: 827128c5086a
   source: <<< base.js

dist/aws-iam/common.yaml

@@ -2,6 +2,4 @@ namespace: aws-iam
 
 common:
   defines: module
-  metadata:
-    version-hash: 827128c5086a
   source: <<< common.js

dist/aws-iam/iam-policy-sync.js

@@ -8,6 +8,8 @@ var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "sy
 // input/aws-iam/policy.ts
 const base = require("aws-iam/base");
 const AWSIAMEntity = base.AWSIAMEntity;
+const common = require("aws-iam/common");
+const IAM_ACTIONS = common.IAM_ACTIONS;
 const cli = require("cli");
 var _IAMPolicy = class _IAMPolicy extends AWSIAMEntity {
   getPolicyName() {
@@ -84,7 +86,7 @@ var _IAMPolicy = class _IAMPolicy extends AWSIAMEntity {
       }
     }
     try {
-      const response = this.makeAWSRequest("POST", "CreatePolicy", params);
+      const response = this.makeAWSRequest("POST", IAM_ACTIONS.CREATE_POLICY, params);
       if (response.Policy) {
         this.state = {
           policy_arn: response.Policy.Arn,
@@ -112,7 +114,7 @@ var _IAMPolicy = class _IAMPolicy extends AWSIAMEntity {
       SetAsDefault: true
     };
     try {
-      const response = this.makeAWSRequest("POST", "CreatePolicyVersion", params);
+      const response = this.makeAWSRequest("POST", IAM_ACTIONS.CREATE_POLICY_VERSION, params);
       if (response.PolicyVersion) {
         this.state.default_version_id = response.PolicyVersion.VersionId;
         this.state.update_date = response.PolicyVersion.CreateDate;
@@ -127,26 +129,87 @@ var _IAMPolicy = class _IAMPolicy extends AWSIAMEntity {
     if (!this.state.policy_arn) {
       return;
     }
+    if (this.state.existing) {
+      return;
+    }
     try {
-      if (this.state.attachment_count && this.state.attachment_count > 0) {
-        cli.output(`Warning: Policy has ${this.state.attachment_count} attachments. You may need to detach it first.`);
-      }
+      this.detachPolicyFromAllEntities();
       this.deleteNonDefaultVersions();
       this.deletePolicy(this.state.policy_arn, this.definition.policy_name);
     } catch (error) {
       throw new Error(`Failed to delete IAM Policy ${this.definition.policy_name}: ${error instanceof Error ? error.message : "Unknown error"}`);
     }
   }
+  detachPolicyFromAllEntities() {
+    if (!this.state.policy_arn) {
+      return;
+    }
+    try {
+      const response = this.makeAWSRequest("POST", IAM_ACTIONS.LIST_ENTITIES_FOR_POLICY, {
+        PolicyArn: this.state.policy_arn
+      });
+      if (response.PolicyUsers) {
+        const users = Array.isArray(response.PolicyUsers) ? response.PolicyUsers : [response.PolicyUsers];
+        for (const user of users) {
+          const userName = typeof user === "string" ? user : user.UserName;
+          if (userName) {
+            try {
+              this.makeAWSRequest("POST", IAM_ACTIONS.DETACH_USER_POLICY, {
+                UserName: userName,
+                PolicyArn: this.state.policy_arn
+              });
+            } catch (error) {
+              cli.output(`Warning: Failed to detach policy from user ${userName}: ${error instanceof Error ? error.message : "Unknown error"}`);
+            }
+          }
+        }
+      }
+      if (response.PolicyRoles) {
+        const roles = Array.isArray(response.PolicyRoles) ? response.PolicyRoles : [response.PolicyRoles];
+        for (const role of roles) {
+          const roleName = typeof role === "string" ? role : role.RoleName;
+          if (roleName) {
+            try {
+              this.makeAWSRequest("POST", IAM_ACTIONS.DETACH_ROLE_POLICY, {
+                RoleName: roleName,
+                PolicyArn: this.state.policy_arn
+              });
+            } catch (error) {
+              cli.output(`Warning: Failed to detach policy from role ${roleName}: ${error instanceof Error ? error.message : "Unknown error"}`);
+            }
+          }
+        }
+      }
+      if (response.PolicyGroups) {
+        const groups = Array.isArray(response.PolicyGroups) ? response.PolicyGroups : [response.PolicyGroups];
+        for (const group of groups) {
+          const groupName = typeof group === "string" ? group : group.GroupName;
+          if (groupName) {
+            try {
+              this.makeAWSRequest("POST", IAM_ACTIONS.DETACH_GROUP_POLICY, {
+                GroupName: groupName,
+                PolicyArn: this.state.policy_arn
+              });
+            } catch (error) {
+              cli.output(`Warning: Failed to detach policy from group ${groupName}: ${error instanceof Error ? error.message : "Unknown error"}`);
+            }
+          }
+        }
+      }
+    } catch (error) {
+      cli.output(`Warning: Failed to list policy attachments: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+  }
   deleteNonDefaultVersions() {
     try {
-      const response = this.makeAWSRequest("POST", "ListPolicyVersions", {
+      const response = this.makeAWSRequest("POST", IAM_ACTIONS.LIST_POLICY_VERSIONS, {
         PolicyArn: this.state.policy_arn
       });
       if (response.Versions) {
         const nonDefaultVersions = response.Versions.filter((v) => !v.IsDefaultVersion);
         for (const version of nonDefaultVersions) {
           try {
-            this.makeAWSRequest("POST", "DeletePolicyVersion", {
+            this.makeAWSRequest("POST", IAM_ACTIONS.DELETE_POLICY_VERSION, {
               PolicyArn: this.state.policy_arn,
               VersionId: version.VersionId
             });

dist/aws-iam/iam-policy.yaml

@@ -3,7 +3,6 @@ iam-policy:
   defines: entity
   metadata:
     name: IAMPolicy
-    version-hash: 827128c5086a
   schema:
     region:
       type: string
@@ -28,30 +27,9 @@ iam-policy:
     required:
       - region
       - policy_name
-  state-schema:
-    existing:
-      type: boolean
-      description: Indicates if the resource pre-existed before this entity managed it
-    policy_arn:
-      type: string
-      description: Policy ARN
-    policy_id:
-      type: string
-      description: Policy ID
-    default_version_id:
-      type: string
-      description: Default version identifier
-    attachment_count:
-      type: number
-      description: Number of attachments to principals
-    create_date:
-      type: string
-      description: Creation timestamp
-    update_date:
-      type: string
-      description: Last update timestamp
   lifecycle:
     sync: <<< iam-policy-sync.js
   requires:
     - aws-iam/base
+    - aws-iam/common
     - cli

dist/aws-iam/iam-role.yaml

@@ -3,7 +3,6 @@ iam-role:
   defines: entity
   metadata:
     name: IAMRole
-    version-hash: 827128c5086a
   schema:
     region:
       type: string
@@ -36,19 +35,6 @@ iam-role:
     required:
       - region
       - role_name
-  state-schema:
-    existing:
-      type: boolean
-      description: Whether role pre-existed before this entity managed it
-    role_arn:
-      type: string
-      description: Role ARN
-    role_id:
-      type: string
-      description: Role ID
-    create_date:
-      type: string
-      description: Creation timestamp
   lifecycle:
     sync: <<< iam-role-sync.js
   checks: