fix: detach managed policies in EC2 demo teardown

kylehounslow · kylehounslow · commit d4f282838dcc · 2026-04-01T17:57:38.000-07:00
Signed-off-by: Kyle Hounslow &lt;kylhouns@amazon.com&gt;
diff --git a/aws/cli-installer/src/ec2-demo.mjs b/aws/cli-installer/src/ec2-demo.mjs
@@ -313,6 +313,12 @@ export async function teardownDemoInstance(cfg) {
     await iam.send(new RemoveRoleFromInstanceProfileCommand({ InstanceProfileName: roleName, RoleName: roleName }));
     await iam.send(new DeleteInstanceProfileCommand({ InstanceProfileName: roleName }));
     await iam.send(new DeleteRolePolicyCommand({ RoleName: roleName, PolicyName: 'osis-ingest' }));
+    // Detach any managed policies
+    const { ListAttachedRolePoliciesCommand, DetachRolePolicyCommand } = await import('@aws-sdk/client-iam');
+    const { AttachedPolicies } = await iam.send(new ListAttachedRolePoliciesCommand({ RoleName: roleName }));
+    for (const p of AttachedPolicies || []) {
+      await iam.send(new DetachRolePolicyCommand({ RoleName: roleName, PolicyArn: p.PolicyArn }));
+    }
     await iam.send(new DeleteRoleCommand({ RoleName: roleName }));
     printSuccess('Instance profile and role deleted');
   } catch (e) {
