From 934d25a820c29b885329675453748e4f88750c63 Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Wed, 31 Jul 2019 18:03:30 +0200
Subject: [PATCH] iam_password_policy: boto expects pw_expire to be ommitted
 when setting no expiration requirements (#59848)

Fixes #59102
---
 ...-iam-password-policy-Fix-no-expiration.yml |  2 ++
 .../cloud/amazon/iam_password_policy.py       | 28 +++++++++++--------
 2 files changed, 18 insertions(+), 12 deletions(-)
 create mode 100644 changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml

diff --git a/changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml b/changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml
new file mode 100644
index 00000000000..2f5b2568ea3
--- /dev/null
+++ b/changelogs/fragments/59848-iam-password-policy-Fix-no-expiration.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - iam_password_policy - Fix AWS/boto3 errors when setting no password expiration
diff --git a/lib/ansible/modules/cloud/amazon/iam_password_policy.py b/lib/ansible/modules/cloud/amazon/iam_password_policy.py
index 435cf08605f..0f838018f93 100644
--- a/lib/ansible/modules/cloud/amazon/iam_password_policy.py
+++ b/lib/ansible/modules/cloud/amazon/iam_password_policy.py
@@ -61,7 +61,8 @@ options:
     aliases: [allow_password_change]
   pw_max_age:
     description:
-      - Maximum age for a password in days.
+      - Maximum age for a password in days. When this option is 0 then passwords
+        do not expire automatically.
     default: 0
     aliases: [password_max_age]
   pw_reuse_prevent:
@@ -127,18 +128,21 @@ class IAMConnection(object):
         pw_reuse_prevent = module.params.get('pw_reuse_prevent')
         pw_expire = module.params.get('pw_expire')
 
+        update_parameters = dict(
+            MinimumPasswordLength=min_pw_length,
+            RequireSymbols=require_symbols,
+            RequireNumbers=require_numbers,
+            RequireUppercaseCharacters=require_uppercase,
+            RequireLowercaseCharacters=require_lowercase,
+            AllowUsersToChangePassword=allow_pw_change,
+            PasswordReusePrevention=pw_reuse_prevent,
+            HardExpiry=pw_expire
+        )
+        if pw_max_age:
+            update_parameters.update(MaxPasswordAge=pw_max_age)
+
         try:
-            results = policy.update(
-                MinimumPasswordLength=min_pw_length,
-                RequireSymbols=require_symbols,
-                RequireNumbers=require_numbers,
-                RequireUppercaseCharacters=require_uppercase,
-                RequireLowercaseCharacters=require_lowercase,
-                AllowUsersToChangePassword=allow_pw_change,
-                MaxPasswordAge=pw_max_age,
-                PasswordReusePrevention=pw_reuse_prevent,
-                HardExpiry=pw_expire
-            )
+            results = policy.update(**update_parameters)
             policy.reload()
         except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
             self.module.fail_json_aws(e, msg="Couldn't update IAM Password Policy")