Issues with aws-service-roles after upgrading to 2.3.0

[patrobinson]

#53 makes a change to completely ignore aws-service-roles. This raises an issue when you migrate to 2.3, it tries to create aws-service-roles as they are not "synced".

The fix I've implemented is to delete aws-service-role/* from our repo. I've documented this now in the releases page but we should do anything further?

cc @jacobbednarz

Note

You should remove all roles under iam/roles/aws-service-role/ as these are no longer managed by iamy

[jacobbednarz]

We could just add the cleanup as a part of IAMy on upgrade? Maybe remove any of the directories that match the same patterns we're using as ignore params. I'm not sure how I'd feel about it given the fragility of the matches though.

Thanks for update the release notes; that's a great catch.

[patrobinson]

This raises a broader issue I've noticed with iamy. In terms of set comparison say our AWS Account config is set A and the repository where we store iamy config is set B, during a pull iamy does A - B and the difference it updates in the repository. During a push it does B - A and tries to push the changes to an AWS Account.

This results in discrepancies such as this one and when anything is deleted from an account but not deleted from our iamy repo, a pull will not remove that configuration from the repository.

I wonder if we should instead be calculating the Symmetric difference A ∆ B during a pull.