Add role and policy creation to dw acceptance test

Use the default role to create an environment and DW cluster. The AWS policy is queried via CLI.
cloudera · Nov 4, 2024 · c766e42 · c766e42
1 parent 34b0612
commit c766e42
Show file tree

Hide file tree

Showing 2 changed files with 148 additions and 11 deletions.
diff --git a/cdpacctest/acctest.go b/cdpacctest/acctest.go
@@ -11,7 +11,11 @@
 package cdpacctest
 
 import (
+	"encoding/base64"
 	"fmt"
+	environmentoperations "github.com/cloudera/terraform-provider-cdp/cdp-sdk-go/gen/environments/client/operations"
+	environmentsmodels "github.com/cloudera/terraform-provider-cdp/cdp-sdk-go/gen/environments/models"
+	"github.com/stretchr/testify/assert"
 	"math/rand"
 	"os"
 	"regexp"
@@ -50,6 +54,11 @@ var (
 			VersionConstraint: "~> 3.4",
 		},
 	}
+	TimeExternalProvider = map[string]resource.ExternalProvider{
+		"time": {
+			Source: "hashicorp/time",
+		},
+	}
 
 	cdpClientOnce sync.Once
 	cdpClient     *cdp.Client
@@ -95,11 +104,25 @@ provider "cdp" {
 `
 }
 
-func TestAccAwsProviderConfig() string {
-	return `
-provider "aws" {
+type awsProvider struct {
+	Profile string
+	Region  string
 }
-`
+
+func NewAwsProvider(profile, region string) awsProvider {
+	return awsProvider{
+		Profile: profile,
+		Region:  region,
+	}
+}
+
+func TestAccAwsProviderConfig(p awsProvider) string {
+	return fmt.Sprintf(`
+		provider "aws" {
+		  profile = %[1]q
+		  region  = %[2]q
+		}
+`, p.Profile, p.Region)
 }
 
 // CheckCrn Checks whether the value is set and is a properly formatted CRN
@@ -126,3 +149,97 @@ func GetCdpClientForAccTest() *cdp.Client {
 	})
 	return cdpClient
 }
+
+type awsAccountCredentials struct {
+	Name          string
+	AccountID     string
+	ExternalID    string
+	DefaultPolicy string
+}
+
+func NewAwsAccountCredentials(name string) awsAccountCredentials {
+	return awsAccountCredentials{
+		Name: name,
+	}
+}
+
+func getEnvironmentPrerequisites(t *testing.T, cloudPlatform string) *environmentsmodels.GetCredentialPrerequisitesResponse {
+	params := environmentoperations.NewGetCredentialPrerequisitesParams()
+	params.WithInput(&environmentsmodels.GetCredentialPrerequisitesRequest{
+		CloudPlatform: &cloudPlatform,
+	})
+	client := GetCdpClientForAccTest()
+	response, err := client.Environments.Operations.GetCredentialPrerequisites(params)
+	assert.Nil(t, err)
+	payload := response.GetPayload()
+	assert.NotNil(t, payload)
+	return payload
+}
+
+func (a *awsAccountCredentials) WithPolicy(t *testing.T) {
+	payload := getEnvironmentPrerequisites(t, "AWS")
+	assert.NotNil(t, payload)
+	decodedBytes, err := base64.StdEncoding.DecodeString(*payload.Aws.PolicyJSON)
+	assert.Nil(t, err)
+	a.DefaultPolicy = string(decodedBytes)
+}
+
+func (a *awsAccountCredentials) WithExternalID(t *testing.T) {
+	payload := getEnvironmentPrerequisites(t, "AWS")
+	assert.NotNil(t, payload)
+	a.ExternalID = *payload.Aws.ExternalID
+}
+
+func (a *awsAccountCredentials) WithAccountID(t *testing.T) {
+	payload := getEnvironmentPrerequisites(t, "AWS")
+	assert.NotNil(t, payload)
+	a.AccountID = payload.AccountID
+}
+
+func CreateDefaultRoleAndPolicy(p awsAccountCredentials) string {
+	return fmt.Sprintf(`
+		resource "aws_iam_role" "cdp_test_role" {
+		  name = "%[1]s-role"
+		
+		  assume_role_policy = <<EOF
+		{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Sid": "Statement1",
+					"Effect": "Allow",
+					"Principal": {
+						"AWS": "arn:aws:iam::%[2]s:root"
+					},
+					"Action": "sts:AssumeRole",
+					"Condition": {
+						"StringEquals": {
+							"sts:ExternalId": %[3]q
+						}
+					}
+				}
+			]
+		}
+		EOF
+		
+		  tags = {
+			owner = "[email protected]"
+		  }
+		}
+
+		resource "aws_iam_policy" "cdp_test_policy" {
+		  name        = "%[1]s-policy"
+		  description = "DefaultCBPolicy for CDP, replace the static file with a CLI call"
+		
+		  policy = <<EOF
+		  %[4]s
+		EOF
+		}
+
+		resource "aws_iam_policy_attachment" "test-attach" {
+		  name       = "test_attachment"
+		  roles      = [aws_iam_role.cdp_test_role.name]
+		  policy_arn = aws_iam_policy.cdp_test_policy.arn
+		}
+		`, p.Name, p.AccountID, p.ExternalID, p.DefaultPolicy)
+}
diff --git a/resources/dw/resource_dw_acc_test.go b/resources/dw/resource_dw_acc_test.go
@@ -28,6 +28,7 @@ import (
 )
 
 const (
+	AwsProfile             = "ACCEPTANCETEST_AWS_PROFILE"
 	AwsXAccRoleArn         = "ACCEPTANCETEST_AWS_X_ACC_ROLE_ARN"
 	AwsRegion              = "ACCEPTANCETEST_AWS_REGION"
 	AwsPublicKeyId         = "ACCEPTANCETEST_AWS_PUBLIC_KEY_ID"
@@ -99,6 +100,11 @@ func AwsDataLakePreCheck(t *testing.T) {
 
 func TestAccCluster_basic(t *testing.T) {
 	credName := acctest.RandomWithPrefix(cdpacctest.ResourcePrefix)
+	awsProvider := cdpacctest.NewAwsProvider(os.Getenv(AwsProfile), os.Getenv(AwsRegion))
+	accountParams := cdpacctest.NewAwsAccountCredentials(cdpacctest.RandomShortWithPrefix(cdpacctest.ResourcePrefix))
+	accountParams.WithAccountID(t)
+	accountParams.WithExternalID(t)
+	accountParams.WithPolicy(t)
 	envParams := awsEnvironmentTestParameters{
 		Name:                cdpacctest.RandomShortWithPrefix(cdpacctest.ResourcePrefix),
 		Region:              os.Getenv(AwsRegion),
@@ -123,13 +129,18 @@ func TestAccCluster_basic(t *testing.T) {
 			AwsDataLakePreCheck(t)
 		},
 		ProtoV6ProviderFactories: cdpacctest.TestAccProtoV6ProviderFactories,
-		CheckDestroy:             testCheckClusterDestroy,
+		ExternalProviders: cdpacctest.ConcatExternalProviders(
+			cdpacctest.AwsExternalProvider,
+			cdpacctest.TimeExternalProvider,
+		),
+		CheckDestroy: testCheckClusterDestroy,
 		Steps: []resource.TestStep{
 			// Create and Read testing
 			{
 				Config: utils.Concat(
-					cdpacctest.TestAccCdpProviderConfig(),
-					testAccAwsCredentialBasicConfig(credName, os.Getenv(AwsXAccRoleArn)),
+					cdpacctest.CreateDefaultRoleAndPolicy(accountParams),
+					cdpacctest.TestAccAwsProviderConfig(awsProvider),
+					testAccAwsCredentialBasicConfig(credName),
 					testAccAwsEnvironmentConfig(&envParams),
 					testAccAwsDataLakeConfig(&dlParams),
 					testAccAwsClusterBasicConfig(&envParams),
@@ -145,12 +156,21 @@ func TestAccCluster_basic(t *testing.T) {
 	})
 }
 
-func testAccAwsCredentialBasicConfig(name string, roleArn string) string {
+func testAccAwsCredentialBasicConfig(name string) string {
+	// Wait for the IAM policy attachment to be created before creating the credential, after a couple of seconds,
+	// the CDP credential creation fails, the privileges are not yet available.
 	return fmt.Sprintf(`
+		resource "time_sleep" "wait_10_seconds" {
+		  depends_on = [aws_iam_policy_attachment.test-attach]
+		  create_duration = "10s"
+		}
+		
 		resource "cdp_environments_aws_credential" "test_cred" {
-		  credential_name = %[1]q
-		  role_arn        = %[2]q
-		}`, name, roleArn)
+		  credential_name = "%[1]s-cred"
+		  role_arn        = aws_iam_role.cdp_test_role.arn
+		  depends_on = [time_sleep.wait_10_seconds]
+		}
+`, name)
 }
 
 func testAccAwsEnvironmentConfig(envParams *awsEnvironmentTestParameters) string {