Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/aws_opsworks_permission: Prevent Unable to change own permission level error during self updates #11379

Merged
merged 1 commit into from
Jan 10, 2020
Merged

resource/aws_opsworks_permission: Prevent Unable to change own permission level error during self updates #11379

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions aws/resource_aws_opsworks_permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,8 @@ func resourceAwsOpsworksSetPermission(d *schema.ResourceData, meta interface{})
StackId: aws.String(d.Get("stack_id").(string)),
}

if v, ok := d.GetOk("level"); ok {
req.Level = aws.String(v.(string))
if d.HasChange("level") {
req.Level = aws.String(d.Get("level").(string))
}

err := resource.Retry(2*time.Minute, func() *resource.RetryError {
Expand Down
149 changes: 149 additions & 0 deletions aws/resource_aws_opsworks_permission_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,37 @@ func TestAccAWSOpsworksPermission_basic(t *testing.T) {
})
}

// Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/4804
func TestAccAWSOpsworksPermission_Self(t *testing.T) {
var opsperm opsworks.Permission
rName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_opsworks_permission.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: nil, // Cannot delete own OpsWorks Permission
Steps: []resource.TestStep{
{
Config: testAccAwsOpsworksPermissionSelf(rName, true, true),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSOpsworksPermissionExists(resourceName, &opsperm),
resource.TestCheckResourceAttr(resourceName, "allow_ssh", "true"),
resource.TestCheckResourceAttr(resourceName, "allow_sudo", "true"),
),
},
{
Config: testAccAwsOpsworksPermissionSelf(rName, true, false),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSOpsworksPermissionExists(resourceName, &opsperm),
resource.TestCheckResourceAttr(resourceName, "allow_ssh", "true"),
resource.TestCheckResourceAttr(resourceName, "allow_sudo", "false"),
),
},
},
})
}

func testAccCheckAWSOpsworksPermissionExists(
n string, opsperm *opsworks.Permission) resource.TestCheckFunc {
return func(s *terraform.State) error {
Expand Down Expand Up @@ -173,6 +204,111 @@ func testAccCheckAwsOpsworksPermissionDestroy(s *terraform.State) error {
return nil
}

func testAccAwsOpsworksPermissionBase(rName string) string {
return fmt.Sprintf(`
data "aws_region" "current" {}

resource "aws_vpc" "test" {
cidr_block = "10.0.0.0/24"

tags = {
Name = "tf-acc-test-opsworks-permission"
}
}

resource "aws_subnet" "test" {
cidr_block = aws_vpc.test.cidr_block
vpc_id = aws_vpc.test.id

tags = {
Name = "tf-acc-test-opsworks-permissions"
}
}

resource "aws_opsworks_stack" "test" {
name = %[1]q
region = data.aws_region.current.name
vpc_id = aws_vpc.test.id
default_subnet_id = aws_subnet.test.id
service_role_arn = aws_iam_role.service.arn
default_instance_profile_arn = aws_iam_instance_profile.test.arn
default_os = "Amazon Linux 2016.09"
default_root_device_type = "ebs"
custom_json = "{\"key\": \"value\"}"
configuration_manager_version = "11.10"
use_opsworks_security_groups = false
}

resource "aws_iam_role" "service" {
name = "%[1]s-service"

assume_role_policy = <<EOT
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "opsworks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOT
}

resource "aws_iam_role_policy" "service" {
name = %[1]q
role = aws_iam_role.service.id

policy = <<EOT
{
"Statement": [
{
"Action": [
"ec2:*",
"iam:PassRole",
"cloudwatch:GetMetricStatistics",
"elasticloadbalancing:*",
"rds:*"
],
"Effect": "Allow",
"Resource": ["*"]
}
]
}
EOT
}

resource "aws_iam_role" "instance" {
name = "%[1]s-instance"

assume_role_policy = <<EOT
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOT
}

resource "aws_iam_instance_profile" "test" {
name = %[1]q
role = aws_iam_role.instance.name
}
`, rName)
}

func testAccAwsOpsworksPermissionCreate(name, ssh, sudo, level string) string {
return fmt.Sprintf(`
resource "aws_opsworks_permission" "tf-acc-perm" {
Expand All @@ -198,3 +334,16 @@ resource "aws_iam_user" "user" {

`, ssh, sudo, level, name, testAccAwsOpsworksStackConfigVpcCreate(name))
}

func testAccAwsOpsworksPermissionSelf(rName string, allowSsh bool, allowSudo bool) string {
return testAccAwsOpsworksPermissionBase(rName) + fmt.Sprintf(`
data "aws_caller_identity" "current" {}

resource "aws_opsworks_permission" "test" {
allow_ssh = %[1]t
allow_sudo = %[2]t
stack_id = aws_opsworks_stack.test.id
user_arn = data.aws_caller_identity.current.arn
}
`, allowSsh, allowSudo)
}