Merge pull request #172 from Cox-Automotive/develop

Develop

docs/resources/alks_iamrole.md

@@ -6,16 +6,41 @@ Creates an custom ALKS IAM role for usage in an AWS account.
 
 ### ALKS IAM Role Creation
 
+#### IAM Role with a custom trust policy document
+
 ```hcl
 resource "alks_iamrole" "test_role" {
     name                     = "My_Test_Role"
-    type                     = "Amazon EC2"
+    assume_role_policy       = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Action = "sts:AssumeRole",
+                Effect = "Allow",
+                Principal = {
+                    Service = "ec2.amazonaws.com"
+                },
+                Sid = ""
+            }
+        ]
+    })
     include_default_policies = false
     enable_alks_access       = false
 }
 ```
 
-This will create a role with the exact name `My_Test_Role`.
+This will create a role with the exact name `My_Test_Role`. Specifying a custom trust policy like this is currently only supported for single-service trust policies trusting an approved AWS service, and at the moment no extra fields may be provided such as the "Condition" or "Resource" keys. At this time, the only acceptable changes to the JSON string passed to the assume_role_policy field above are that `ec2.amazonaws.com` can be swapped out for any single approved service, and the `Sid` field may be omitted or populated with any valid Sid according to AWS's documentation.
+
+#### IAM Role specifying a role type
+
+```hcl
+resource "alks_iamrole" "test_role" {
+    name                     = "My_Test_Role"
+    type                     = "Amazon EC2"
+    include_default_policies = false
+    enable_alks_access       = false
+}
+```
 
 ### ALKS IAM Role Creation with Name Prefix
 

go.mod

@@ -3,7 +3,7 @@ module github.com/Cox-Automotive/terraform-provider-alks
 go 1.14
 
 require (
-	github.com/Cox-Automotive/alks-go v0.0.0-20220502192728-623c28f3b92b
+	github.com/Cox-Automotive/alks-go v0.0.0-20220610194553-5bc77030a1ba
 	github.com/aws/aws-sdk-go v1.31.15
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/terraform-json v0.13.0 // indirect

go.sum

@@ -36,6 +36,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Cox-Automotive/alks-go v0.0.0-20220502192728-623c28f3b92b h1:lTQ/h4MVJzOmrWk0a16zb9pUapImXFeTlQkO3vlZtUI=
 github.com/Cox-Automotive/alks-go v0.0.0-20220502192728-623c28f3b92b/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw=
+github.com/Cox-Automotive/alks-go v0.0.0-20220610194553-5bc77030a1ba h1:2a3ugAGVFcRPYNNeO3DVHlFDjhoWIgwOCOG+YTDaqaU=
+github.com/Cox-Automotive/alks-go v0.0.0-20220610194553-5bc77030a1ba/go.mod h1:jJNgXthl59Vt2tJHSC3WZ0vlopV9xqdclfQuLgwHjOw=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=

resource_alks_iamrole.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"log"
 
@@ -40,9 +41,16 @@ func resourceAlksIamRole() *schema.Resource {
 				ValidateFunc:  ValidRolePrefix,
 			},
 			"type": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ExactlyOneOf: []string{"assume_role_policy", "type"},
+			},
+			"assume_role_policy": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ExactlyOneOf: []string{"assume_role_policy", "type"},
 			},
 			"include_default_policies": {
 				Type:     schema.TypeBool,
@@ -87,7 +95,6 @@ func resourceAlksIamRole() *schema.Resource {
 func resourceAlksIamRoleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	log.Printf("[INFO] ALKS IAM Role Create")
 	var roleName = NameWithPrefix(d.Get("name").(string), d.Get("name_prefix").(string))
-	var roleType = d.Get("type").(string)
 	var incDefPol = d.Get("include_default_policies").(bool)
 	var enableAlksAccess = d.Get("enable_alks_access").(bool)
 	var rawTemplateFields = d.Get("template_fields").(map[string]interface{})
@@ -116,14 +123,26 @@ func resourceAlksIamRoleCreate(ctx context.Context, d *schema.ResourceData, meta
 
 	options := &alks.CreateIamRoleOptions{
 		RoleName:                    &roleName,
-		RoleType:                    &roleType,
 		IncludeDefaultPolicies:      &include,
 		AlksAccess:                  &enableAlksAccess,
 		TemplateFields:              &templateFields,
 		MaxSessionDurationInSeconds: &maxSessionDurationInSeconds,
 		Tags:                        &allTags,
 	}
 
+	if roleType, ok := d.GetOk("type"); ok {
+		roleTypeString := roleType.(string)
+		options.RoleType = &roleTypeString
+	} else {
+		trustPolicyString := d.Get("assume_role_policy").(string)
+
+		trustPolicy := new(map[string]interface{})
+
+		json.Unmarshal([]byte(trustPolicyString), trustPolicy)
+
+		options.TrustPolicy = trustPolicy
+	}
+
 	resp, err := client.CreateIamRole(options)
 	if err != nil {
 		return diag.FromErr(err)

resource_alks_iamrole_test.go

@@ -423,6 +423,43 @@ func testAccCheckAlksIamRoleAttributes(role *alks.IamRoleResponse) resource.Test
 	}
 }
 
+func TestIAMRole_RoleTypeAndTrustPolicyBothPresent(t *testing.T) {
+	var resp alks.IamRoleResponse
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAlksIamRoleDestroy(&resp),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckAlksIamRoleBothRoleTypeAndTrustPolicyPresent,
+				ExpectError: regexp.MustCompile(".*Error: ExactlyOne.*"),
+			},
+		},
+	})
+}
+
+func TestIAMRole_OnlyTrustPolicyPresent(t *testing.T) {
+	var resp alks.IamRoleResponse
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAlksIamRoleDestroy(&resp),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckAlksIamRoleWithOnlyTrustPolicyPresent,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.both_type_and_trust_policy", "name", "both_type_and_trust_policy"),
+					resource.TestCheckResourceAttr(
+						"alks_iamrole.both_type_and_trust_policy", "include_default_policies", "false"),
+				),
+			},
+		},
+	})
+}
+
 const testAccCheckAlksIamRoleConfigBasic = `
   resource "alks_iamrole" "foo" {
     name = "bar430"
@@ -643,3 +680,44 @@ const testAccCheckAlksIamRoleConfigNameTooLong = `
 		include_default_policies = false
 	}
 `
+
+const testAccCheckAlksIamRoleBothRoleTypeAndTrustPolicyPresent = `
+	resource "alks_iamrole" "both_type_and_trust_policy" {
+		name                     = "both_type_and_trust_policy"
+		include_default_policies = false
+		type                     = "Amazon EC2"
+		trust_policy             = jsonencode({
+			Version = "2012-10-17",
+			Statement = [
+				{
+					Action = "sts:AssumeRole",
+					Effect = "Allow",
+					Principal = {
+						Service = "databrew.amazonaws.com"
+					},
+					Sid = ""
+				}
+			]
+		})
+	}
+`
+
+const testAccCheckAlksIamRoleWithOnlyTrustPolicyPresent = `
+	resource "alks_iamrole" "both_type_and_trust_policy" {
+		name                     = "both_type_and_trust_policy"
+		include_default_policies = false
+		assume_role_policy       = jsonencode({
+			Version = "2012-10-17",
+			Statement = [
+				{
+					Action = "sts:AssumeRole",
+					Effect = "Allow",
+					Principal = {
+						Service = "databrew.amazonaws.com"
+					},
+					Sid = ""
+				}
+			]
+		})
+	}
+`

vendor/modules.txt

@@ -8,7 +8,7 @@ cloud.google.com/go/internal/trace
 cloud.google.com/go/internal/version
 # cloud.google.com/go/storage v1.10.0
 cloud.google.com/go/storage
-# github.com/Cox-Automotive/alks-go v0.0.0-20220502192728-623c28f3b92b
+# github.com/Cox-Automotive/alks-go v0.0.0-20220610194553-5bc77030a1ba
 ## explicit
 github.com/Cox-Automotive/alks-go
 # github.com/agext/levenshtein v1.2.2