Merge pull request #66 from Cox-Automotive/develop

Merge Develop to Master
Cox-Automotive · Oct 25, 2019 · 96fed0d · 96fed0d
2 parents f84e728 + 2ed59cf
commit 96fed0d
Show file tree

Hide file tree

Showing 6 changed files with 120 additions and 179 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/README.md b/README.md
@@ -168,19 +168,6 @@ Value                             | Type     | Forces New | Value Type | Descrip
 `ip_arn`                           | Computed | n/a        | string     | If `role_added_to_ip` was `true` this will provide the ARN of the instance profile role.
 `enable_alks_access`        | Optional | yes | bool | If `true`, allows ALKS calls to be made by instance profiles or Lambda functions making use of this role.
 
-#### `alks_machine_identity`
-
-```
-resource "alks_machine_identity" "test_mi" {
-    role_arn                     = "arn:aws:iam::123456789123:role/acct-managed/TestTrustRole"
-}
-```
-
-Value                             | Type     | Forces New | Value Type | Description
---------------------------------- | -------- | ---------- | ---------- | -----------
-`role_arn`                       | Required | yes        | string     | The arn of the Iam role you want to create a machine identity for.
-`machine_identity_arn`           | Computed | n/a        | string     | The arn of the machine identity tied to the iam role.
-
 ## Example
 
 See [this example](examples/alks.tf) for a basic Terraform script which:

diff --git a/provider.go b/provider.go
@@ -63,9 +63,8 @@ func Provider() terraform.ResourceProvider {
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
-			"alks_iamrole":          resourceAlksIamRole(),
-			"alks_iamtrustrole":     resourceAlksIamTrustRole(),
-			"alks_machine_identity": resourceAlksIamMachineIdentity(),
+			"alks_iamrole":      resourceAlksIamRole(),
+			"alks_iamtrustrole": resourceAlksIamTrustRole(),
 		},
 
 		ConfigureFunc: providerConfigure,

diff --git a/resource_alks_iamrole.go b/resource_alks_iamrole.go
@@ -16,6 +16,7 @@ func resourceAlksIamRole() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAlksIamRoleCreate,
 		Read:   resourceAlksIamRoleRead,
+		Update: resourceAlksIamRoleUpdate,
 		Exists: resourceAlksIamRoleExists,
 		Delete: resourceAlksIamRoleDelete,
 
@@ -54,7 +55,6 @@ func resourceAlksIamRole() *schema.Resource {
 				Type:     schema.TypeBool,
 				Default:  false,
 				Optional: true,
-				ForceNew: true,
 			},
 		},
 	}
@@ -64,6 +64,7 @@ func resourceAlksIamTrustRole() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAlksIamTrustRoleCreate,
 		Read:   resourceAlksIamRoleRead,
+		Update: resourceAlksIamRoleUpdate,
 		Exists: resourceAlksIamRoleExists,
 		Delete: resourceAlksIamRoleDelete,
 
@@ -102,31 +103,6 @@ func resourceAlksIamTrustRole() *schema.Resource {
 				Type:     schema.TypeBool,
 				Default:  false,
 				Optional: true,
-				ForceNew: true,
-			},
-		},
-	}
-}
-
-func resourceAlksIamMachineIdentity() *schema.Resource {
-	return &schema.Resource{
-		Create: resourceAlksIamMachineIdentityCreate,
-		Read:   resourceAlksIamMachineIdentityRead,
-		Exists: resourceAlksIamMachineIdentityExists,
-		Delete: resourceAlksIamMachineIdentityDelete,
-
-		SchemaVersion: 1,
-		MigrateState:  migrateState,
-
-		Schema: map[string]*schema.Schema{
-			"role_arn": &schema.Schema{
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-			},
-			"machine_identity_arn": &schema.Schema{
-				Type:     schema.TypeString,
-				Computed: true,
 			},
 		},
 	}
@@ -247,10 +223,52 @@ func resourceAlksIamRoleRead(d *schema.ResourceData, meta interface{}) error {
 	return populateResourceDataFromRole(foundrole, d)
 }
 
-func populateResourceDataFromRole(role *alks.IamRoleResponse, d *schema.ResourceData) error {
+func resourceAlksIamRoleUpdate(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] ALKS IAM Role Update")
+
+	// enable partial state mode
+	d.Partial(true)
+
+	if d.HasChange("enable_alks_access") {
+		// try updating enable_alks_access
+		if err := updateAlksAccess(d, meta); err != nil {
+			return err
+		}
+
+		d.SetPartial("enable_alks_access")
+	}
+
+	d.Partial(false)
+
+	return nil
+}
+
+func updateAlksAccess(d *schema.ResourceData, meta interface{}) error {
+	var alksAccess = d.Get("enable_alks_access").(bool)
+	var roleArn = d.Get("arn").(string)
+	client := meta.(*alks.Client)
+	// create the machine identity
+	if alksAccess {
+		_, err := client.AddRoleMachineIdentity(roleArn)
+		if err != nil {
+			return err
+		}
+	} else {
+		// delete the machine identity
+		_, err := client.DeleteRoleMachineIdentity(roleArn)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func populateResourceDataFromRole(role *alks.GetIamRoleResponse, d *schema.ResourceData) error {
 	d.SetId(role.RoleName)
 	d.Set("arn", role.RoleArn)
 	d.Set("ip_arn", role.RoleIPArn)
+	d.Set("enable_alks_access", role.AlksAccess)
+
 	// role type isnt returned by alks api so this will always false report on a remote state change
 	// for more info see issue #125 on ALKS repo
 	// d.Set("type", role.RoleType)
@@ -289,74 +307,3 @@ func migrateV0toV1(state *terraform.InstanceState) (*terraform.InstanceState, er
 
 	return state, nil
 }
-
-func resourceAlksIamMachineIdentityCreate(d *schema.ResourceData, meta interface{}) error {
-	log.Printf("[INFO] ALKS IAM Machine Identity Create")
-
-	var roleArn = d.Get("role_arn").(string)
-
-	client := meta.(*alks.Client)
-	resp, err := client.AddRoleMachineIdentity(roleArn)
-
-	if err != nil {
-		return err
-	}
-
-	d.SetId(roleArn)
-	d.Set("machine_identity_arn", resp.MachineIdentityArn)
-
-	log.Printf("[INFO] alks_machine_identity_arn: %v", d.Get("machine_identity_arn").(string))
-
-	return nil
-}
-
-func resourceAlksIamMachineIdentityRead(d *schema.ResourceData, meta interface{}) error {
-	log.Printf("[INFO] ALKS IAM Machine Identity Read")
-
-	client := meta.(*alks.Client)
-
-	foundMI, err := client.SearchRoleMachineIdentity(d.Id())
-
-	if err != nil {
-		return err
-	}
-
-	return populateResourceDataFromMI(foundMI, d)
-}
-
-func resourceAlksIamMachineIdentityExists(d *schema.ResourceData, meta interface{}) (b bool, e error) {
-	log.Printf("[INFO] ALKS IAM Machine Identity Exists")
-
-	client := meta.(*alks.Client)
-
-	foundMI, err := client.SearchRoleMachineIdentity(d.Id())
-
-	if err != nil {
-		if strings.Contains(err.Error(), "Could not find a matching record with the given parameters") {
-			return false, nil
-		}
-
-		return false, err
-	}
-
-	if foundMI == nil {
-		return false, nil
-	}
-
-	return true, nil
-}
-
-func resourceAlksIamMachineIdentityDelete(d *schema.ResourceData, meta interface{}) error {
-	log.Printf("[INFO] ALKS IAM Machine Identity Delete")
-
-	var roleArn = d.Get("role_arn").(string)
-
-	client := meta.(*alks.Client)
-	_, err := client.DeleteRoleMachineIdentity(roleArn)
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
diff --git a/resource_alks_iamrole_test.go b/resource_alks_iamrole_test.go
@@ -31,6 +31,20 @@ func TestAccAlksIamRole_Basic(t *testing.T) {
 						"alks_iamrole.foo", "include_default_policies", "false"),
 				),
 			},
+			resource.TestStep{
+				// update the resource
+				Config: testAccCheckAlksIamRoleConfigUpdateBasic,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.foo", "name", "bar420"),
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.foo", "type", "Amazon EC2"),
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.foo", "include_default_policies", "false"),
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.foo", "enable_alks_access", "true"),
+				),
+			},
 		},
 	})
 }
@@ -52,22 +66,16 @@ func TestAccAlksIamTrustRole_Basic(t *testing.T) {
 						"alks_iamtrustrole.bar", "type", "Inner Account"),
 				),
 			},
-		},
-	})
-}
-
-func TestAccAlksIamMachineIdentity_Basic(t *testing.T) {
-	var resp alks.MachineIdentityResponse
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckAlksIamMachineIdentityDestroy(&resp),
-		Steps: []resource.TestStep{
 			resource.TestStep{
-				Config: testAccCheckAlksIamMachineIdentityConfigBasic,
-				Check: resource.TestCheckResourceAttrSet(
-					"alks_machine_identity.bob", "role_arn",
+				// update the resource
+				Config: testAccCheckAlksIamTrustRoleConfigUpdateBasic,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"alks_iamtrustrole.bar", "name", "bar"),
+					resource.TestCheckResourceAttr(
+						"alks_iamtrustrole.bar", "type", "Inner Account"),
+					resource.TestCheckResourceAttr(
+						"alks_iamtrustrole.bar", "enable_alks_access", "true"),
 				),
 			},
 		},
@@ -93,30 +101,6 @@ func testAccCheckAlksIamRoleDestroy(role *alks.IamRoleResponse) resource.TestChe
 	}
 }
 
-func testAccCheckAlksIamMachineIdentityDestroy(mi *alks.MachineIdentityResponse) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		client := testAccProvider.Meta().(*alks.Client)
-
-		for _, rs := range s.RootModule().Resources {
-			if rs.Type == "alks_machine_identity" {
-				respz, err := client.SearchRoleMachineIdentity(rs.Primary.ID)
-				if respz != nil {
-					return fmt.Errorf("Machine Identity still exists: %#v (%v)", respz, err)
-				}
-			} else if rs.Type == "alks_iamrole" {
-				respz, err := client.GetIamRole(rs.Primary.ID)
-				if respz != nil {
-					return fmt.Errorf("Role still exists: %#v (%v)", respz, err)
-				}
-			} else {
-				continue
-			}
-		}
-
-		return nil
-	}
-}
-
 func testAccCheckAlksIamRoleExists(n string, role *alks.IamRoleResponse) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -160,35 +144,47 @@ func testAccCheckAlksIamRoleAttributes(role *alks.IamRoleResponse) resource.Test
 }
 
 const testAccCheckAlksIamRoleConfigBasic = `
-resource "alks_iamrole" "foo" {
+  resource "alks_iamrole" "foo" {
     name = "bar420"
     type = "Amazon EC2"
-    include_default_policies = false
-}
+		include_default_policies = false
+	}
+`
+
+const testAccCheckAlksIamRoleConfigUpdateBasic = `
+	resource "alks_iamrole" "foo" {
+		name = "bar420"
+		type = "Amazon EC2"
+		include_default_policies = false
+		enable_alks_access = true
+	}
 `
 
 const testAccCheckAlksIamTrustRoleConfigBasic = `
-resource "alks_iamrole" "foo" {
-	name = "foo"
-	type = "Amazon EC2"
-	include_default_policies = false
-}
+	resource "alks_iamrole" "foo" {
+		name = "foo"
+		type = "Amazon EC2"
+		include_default_policies = false
+	}
 
-resource "alks_iamtrustrole" "bar" {
-    name = "bar"
-    type = "Inner Account"
-    trust_arn = "${alks_iamrole.foo.arn}"
-}
+	resource "alks_iamtrustrole" "bar" {
+		name = "bar"
+		type = "Inner Account"
+		trust_arn = "${alks_iamrole.foo.arn}"
+	}
 `
 
-const testAccCheckAlksIamMachineIdentityConfigBasic = `
-resource "alks_iamrole" "foo" {
-	name = "foo"
-	type = "Amazon EC2"
-	include_default_policies = false
-}
+const testAccCheckAlksIamTrustRoleConfigUpdateBasic = `
+	resource "alks_iamrole" "foo" {
+		name = "foo"
+		type = "Amazon EC2"
+		include_default_policies = false
+	}
 
-resource "alks_machine_identity" "bob" {
-	role_arn = "${alks_iamrole.foo.arn}"
-}
+	resource "alks_iamtrustrole" "bar" {
+		name = "bar"
+		type = "Inner Account"
+		trust_arn = "${alks_iamrole.foo.arn}"
+		enable_alks_access = true
+	}
 `