Skip to content

Commit

Permalink
Merge pull request #193 from Cox-Automotive/update-trust-policy
Browse files Browse the repository at this point in the history
Update trust policy
  • Loading branch information
elliottzack429 authored Jul 25, 2023
2 parents 6bf6964 + dcfcd44 commit ff31e46
Show file tree
Hide file tree
Showing 6 changed files with 156 additions and 15 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/Cox-Automotive/terraform-provider-alks
go 1.18

require (
github.com/Cox-Automotive/alks-go v0.0.0-20221026220646-c20da5c3cb3a
github.com/Cox-Automotive/alks-go v0.0.0-20230724175933-0e9cb0a59b55
github.com/aws/aws-sdk-go v1.42.18
github.com/hashicorp/awspolicyequivalence v1.6.0
github.com/hashicorp/terraform-plugin-sdk/v2 v2.21.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/Cox-Automotive/alks-go v0.0.0-20221026220646-c20da5c3cb3a h1:EJJqr3Dg89DRi7eqtD9OX0XOqabndVqK0r9cy8Y7aq0=
github.com/Cox-Automotive/alks-go v0.0.0-20221026220646-c20da5c3cb3a/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw=
github.com/Cox-Automotive/alks-go v0.0.0-20230724175933-0e9cb0a59b55 h1:aIZaqUtNC6gZISs1VMWo6/jhlOjJcdbkoEqQHagxfWU=
github.com/Cox-Automotive/alks-go v0.0.0-20230724175933-0e9cb0a59b55/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/Microsoft/go-winio v0.4.16 h1:FtSW/jqD+l4ba5iPBj9CODVtgfYAD8w2wS923g/cFDk=
github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
Expand Down
46 changes: 43 additions & 3 deletions resource_alks_iamrole.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func resourceAlksIamRole() *schema.Resource {
"assume_role_policy": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ForceNew: false,
ExactlyOneOf: []string{"assume_role_policy", "type"},
DiffSuppressFunc: SuppressEquivalentTrustPolicyDiffs,
},
Expand Down Expand Up @@ -249,6 +249,13 @@ func resourceAlksIamRoleRead(ctx context.Context, d *schema.ResourceData, meta i
func resourceAlksIamRoleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
log.Printf("[INFO] ALKS IAM Role Update")

providerStruct := meta.(*AlksClient)
client := providerStruct.client

if err := validateIAMEnabled(client); err != nil {
return diag.FromErr(err)
}

// enable partial state mode
d.Partial(true)

Expand All @@ -259,11 +266,44 @@ func resourceAlksIamRoleUpdate(ctx context.Context, d *schema.ResourceData, meta
}
}

//Do a read to get existing tags. If any of those are in ignore_tags, then they are externally managed
//and they should be included in the update so they don't get removed.
foundRole, err := client.GetIamRole(d.Id())

if err != nil {
return diag.FromErr(err)
}

options := alks.UpdateIamRoleRequest{
RoleName: &foundRole.RoleName,
}

if d.HasChange("tags_all") {
// try updating enable_alks_access
if err := updateIamRoleTags(d, meta); err != nil {

existingTags := tagSliceToMap(foundRole.Tags)
externalTags := getExternalyManagedTags(existingTags, *providerStruct.ignoreTags)
internalTags := d.Get("tags_all").(map[string]interface{})

//Tags includes default tags, role specific tags, and tags that exist externally on the role itself and are specified in ignored_tags
tags := tagMapToSlice(combineTagMaps(internalTags, externalTags))

options.Tags = &tags

}

if d.HasChange("assume_role_policy") {
// try updating assume_role_policy
trustPolicyString := d.Get("assume_role_policy").(string)
trustPolicy := new(map[string]interface{})
err := json.Unmarshal([]byte(trustPolicyString), trustPolicy)
if err != nil {
return diag.FromErr(err)
}
options.TrustPolicy = trustPolicy
}

if _, err := client.UpdateIamRole(&options); err != nil {
return diag.FromErr(err)
}

d.Partial(false)
Expand Down
97 changes: 97 additions & 0 deletions resource_alks_iamrole_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/Cox-Automotive/alks-go"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
awspolicy "github.com/hashicorp/awspolicyequivalence"
)

func TestAccAlksIamRole_Basic(t *testing.T) {
Expand Down Expand Up @@ -141,6 +142,59 @@ func TestAccAlksIamRole_DefaultTags_TrustPolicy(t *testing.T) {
})
}

func TestAccAlksIamRole_DefaultTags_TrustPolicyUpdate(t *testing.T) {
var resp alks.IamRoleResponse

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAlksIamRoleDestroy(&resp),
Steps: []resource.TestStep{
{
// create resource with tags
Config: testAccCheckAlksIamRoleUpdateWithTagsWithDefault_TrustPolicy,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "name", "bar430"),
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "tags_all.defaultTagKey2", "defaultTagValue2"),
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "tags.testKey1", "testValue1"),
),
},
{
// update resource with tags
Config: testAccCheckAlksIamRoleUpdateWithTagsWithDefault_TrustPolicyUpdate,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "name", "bar430"),
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "tags.testKey4", "testValue4"),
resource.TestCheckResourceAttr(
"alks_iamrole.foo", "tags_all.defaultTagKey1", "defaultTagValue1"),
// Check the Assume Role Policy after the update
testCheckAssumeRolePolicy("assume_role_policy", expectedAssumeRolePolicyAfterUpdate),
),
},
},
})
}

func testCheckAssumeRolePolicy(attr, expected string) resource.TestCheckFunc {
return func(s *terraform.State) error {
actual := s.RootModule().Resources["alks_iamrole.foo"].Primary.Attributes[attr]
equivalent, err := awspolicy.PoliciesAreEquivalent(actual, expected)
if err != nil {
return fmt.Errorf("Unexpected error %s occured while comparing policies %s, and %s", err, expected, actual)
}
if !equivalent {
return fmt.Errorf("Expected %s to be %s, got %s", attr, expected, actual)
}
return nil

}
}

func TestAccAlksIamRole_DefaultTags_RoleType(t *testing.T) {
var resp alks.IamRoleResponse

Expand Down Expand Up @@ -768,6 +822,49 @@ const testAccCheckAlksIamRoleUpdateWithTagsWithDefault_TrustPolicy = `
}
`

const testAccCheckAlksIamRoleUpdateWithTagsWithDefault_TrustPolicyUpdate = `
provider "alks" {
default_tags {
tags = {
defaultTagKey1 = "defaultTagValue1"
}
}
}
resource "alks_iamrole" "foo" {
name = "bar430"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
include_default_policies = false
tags = {
testKey1 = "testValue1"
testKey4 = "testValue4"
}
}
`

const expectedAssumeRolePolicyAfterUpdate = `{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
}`

const testAccCheckAlksIamRoleUpdateWithTags = `
resource "alks_iamrole" "foo" {
name = "bar430"
Expand Down
20 changes: 12 additions & 8 deletions vendor/github.com/Cox-Automotive/alks-go/iam_role.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# github.com/Cox-Automotive/alks-go v0.0.0-20221026220646-c20da5c3cb3a
# github.com/Cox-Automotive/alks-go v0.0.0-20230724175933-0e9cb0a59b55
## explicit; go 1.16
github.com/Cox-Automotive/alks-go
# github.com/agext/levenshtein v1.2.2
Expand Down

0 comments on commit ff31e46

Please sign in to comment.