diff --git a/internal/service/cloudbackupschedule/resource_cloud_backup_schedule_test.go b/internal/service/cloudbackupschedule/resource_cloud_backup_schedule_test.go index 6a8220f730..b6dcc05229 100644 --- a/internal/service/cloudbackupschedule/resource_cloud_backup_schedule_test.go +++ b/internal/service/cloudbackupschedule/resource_cloud_backup_schedule_test.go @@ -790,7 +790,7 @@ func configExportPolicies(info *acc.ClusterInfo, policyName, roleName, awsAccess "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", + "Effect": "Deny", "Action": "*", "Resource": "*" } diff --git a/internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization_test.go b/internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization_test.go index bf1791afba..c1be438cd5 100644 --- a/internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization_test.go +++ b/internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization_test.go @@ -75,7 +75,7 @@ resource "aws_iam_role_policy" "test_policy" { "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", + "Effect": "Deny", "Action": "*", "Resource": "*" } diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest_test.go b/internal/service/encryptionatrest/resource_encryption_at_rest_test.go index 639253046d..4392b8d8cc 100644 --- a/internal/service/encryptionatrest/resource_encryption_at_rest_test.go +++ b/internal/service/encryptionatrest/resource_encryption_at_rest_test.go @@ -46,7 +46,7 @@ resource "aws_iam_role_policy" "test_policy" { "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", + "Effect": "Deny", "Action": "*", "Resource": "*" } diff --git a/internal/service/federateddatabaseinstance/data_source_federated_database_instance_test.go b/internal/service/federateddatabaseinstance/data_source_federated_database_instance_test.go index 57b6e1b42d..a5372ac97f 100644 --- a/internal/service/federateddatabaseinstance/data_source_federated_database_instance_test.go +++ b/internal/service/federateddatabaseinstance/data_source_federated_database_instance_test.go @@ -54,7 +54,6 @@ func TestAccFederatedDatabaseInstanceDS_s3Bucket(t *testing.T) { policyName = acc.RandomName() roleName = acc.RandomIAMRole() testS3Bucket = os.Getenv("AWS_S3_BUCKET") - region = "VIRGINIA_USA" federatedInstance = admin.DataLakeTenant{} ) @@ -65,7 +64,7 @@ func TestAccFederatedDatabaseInstanceDS_s3Bucket(t *testing.T) { { ExternalProviders: acc.ExternalProvidersOnlyAWS(), ProtoV6ProviderFactories: acc.TestAccProviderV6Factories, - Config: configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, region), + Config: configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket), Check: resource.ComposeTestCheckFunc( checkExists(resourceName, &federatedInstance), checkAttributes(&federatedInstance, name), @@ -105,8 +104,9 @@ func checkAttributes(dataFederatedInstance *admin.DataLakeTenant, name string) r } } -func configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, dataLakeRegion string) string { +func configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket string) string { stepConfig := configDSFirstStepS3Bucket(name, testS3Bucket) + bucketResourceName := "arn:aws:s3:::" + testS3Bucket return fmt.Sprintf(` resource "aws_iam_role_policy" "test_policy" { name = %[1]q @@ -116,11 +116,20 @@ resource "aws_iam_role_policy" "test_policy" { { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetObjectVersion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": %[6]q + } ] } EOF @@ -170,8 +179,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { } } -%s - `, policyName, roleName, projectName, orgID, stepConfig) +%[5]s + `, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName) } func configDSFirstStepS3Bucket(name, testS3Bucket string) string { return fmt.Sprintf(` diff --git a/internal/service/federateddatabaseinstance/data_source_federated_database_instances_test.go b/internal/service/federateddatabaseinstance/data_source_federated_database_instances_test.go index 049988fd6c..5d2d7ff9c0 100644 --- a/internal/service/federateddatabaseinstance/data_source_federated_database_instances_test.go +++ b/internal/service/federateddatabaseinstance/data_source_federated_database_instances_test.go @@ -19,7 +19,6 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) { policyName = acc.RandomName() roleName = acc.RandomIAMRole() testS3Bucket = os.Getenv("AWS_S3_BUCKET") - region = "VIRGINIA_USA" ) resource.ParallelTest(t, resource.TestCase{ @@ -29,7 +28,7 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) { { ExternalProviders: acc.ExternalProvidersOnlyAWS(), ProtoV6ProviderFactories: acc.TestAccProviderV6Factories, - Config: configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket, region), + Config: configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrSet(resourceName, "project_id"), resource.TestCheckResourceAttrSet(resourceName, "results.#"), @@ -39,8 +38,9 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) { }) } -func configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket, dataLakeRegion string) string { +func configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket string) string { stepConfig := configDSPluralFirstStep(firstName, secondName, testS3Bucket) + bucketResourceName := "arn:aws:s3:::" + testS3Bucket return fmt.Sprintf(` resource "aws_iam_role_policy" "test_policy" { name = %[1]q @@ -50,11 +50,20 @@ resource "aws_iam_role_policy" "test_policy" { { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetObjectVersion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": %[6]q + } ] } EOF @@ -104,8 +113,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { } } -%s - `, policyName, roleName, projectName, orgID, stepConfig) +%[5]s + `, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName) } func configDSPluralFirstStep(firstName, secondName, testS3Bucket string) string { return fmt.Sprintf(` diff --git a/internal/service/federateddatabaseinstance/resource_federated_database_instance_test.go b/internal/service/federateddatabaseinstance/resource_federated_database_instance_test.go index 7abb408ed2..91f642aec7 100644 --- a/internal/service/federateddatabaseinstance/resource_federated_database_instance_test.go +++ b/internal/service/federateddatabaseinstance/resource_federated_database_instance_test.go @@ -77,7 +77,6 @@ func TestAccFederatedDatabaseInstance_s3bucket(t *testing.T) { policyName = acc.RandomName() roleName = acc.RandomIAMRole() testS3Bucket = os.Getenv("AWS_S3_BUCKET") - region = "VIRGINIA_USA" ) resource.ParallelTest(t, resource.TestCase{ @@ -87,7 +86,7 @@ func TestAccFederatedDatabaseInstance_s3bucket(t *testing.T) { { ExternalProviders: acc.ExternalProvidersOnlyAWS(), ProtoV6ProviderFactories: acc.TestAccProviderV6Factories, - Config: configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, region), + Config: configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrSet(resourceName, "project_id"), resource.TestCheckResourceAttr(resourceName, "name", name), @@ -269,8 +268,9 @@ func importStateIDFunc(resourceName string) resource.ImportStateIdFunc { } } -func configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, dataLakeRegion string) string { +func configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket string) string { stepConfig := configFirstStepS3Bucket(name, testS3Bucket) + bucketResourceName := "arn:aws:s3:::" + testS3Bucket return fmt.Sprintf(` resource "aws_iam_role_policy" "test_policy" { name = %[1]q @@ -280,11 +280,20 @@ resource "aws_iam_role_policy" "test_policy" { { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetObjectVersion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": %[6]q + } ] } EOF @@ -334,8 +343,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { } } -%s - `, policyName, roleName, projectName, orgID, stepConfig) +%[5]s + `, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName) } func configFirstStepS3Bucket(name, testS3Bucket string) string { diff --git a/internal/service/federatedquerylimit/resource_federated_query_limit_test.go b/internal/service/federatedquerylimit/resource_federated_query_limit_test.go index a4b667d18a..d973afd0c6 100644 --- a/internal/service/federatedquerylimit/resource_federated_query_limit_test.go +++ b/internal/service/federatedquerylimit/resource_federated_query_limit_test.go @@ -71,6 +71,7 @@ func basicTestCase(tb testing.TB) *resource.TestCase { func configBasic(policyName, roleName, projectName, orgID, name, testS3Bucket string) string { stepConfig := configFirstStep(name, testS3Bucket) + bucketResourceName := "arn:aws:s3:::" + testS3Bucket return fmt.Sprintf(` resource "aws_iam_role_policy" "test_policy" { name = %[1]q @@ -80,11 +81,20 @@ resource "aws_iam_role_policy" "test_policy" { { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetObjectVersion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": %[6]q + } ] } EOF @@ -134,8 +144,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { } } -%s - `, policyName, roleName, projectName, orgID, stepConfig) +%[5]s + `, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName) } func configFirstStep(name, testS3Bucket string) string { @@ -214,7 +224,7 @@ data "mongodbatlas_federated_query_limits" "test" { project_id = mongodbatlas_project.test_project.id tenant_name = mongodbatlas_federated_database_instance.db_instance.name } - `, name, testS3Bucket) + `, name, testS3Bucket) } func importStateIDFunc(resourceName string) resource.ImportStateIdFunc { diff --git a/internal/service/pushbasedlogexport/resource_test.go b/internal/service/pushbasedlogexport/resource_test.go index 2d74b95885..caf4882f7d 100644 --- a/internal/service/pushbasedlogexport/resource_test.go +++ b/internal/service/pushbasedlogexport/resource_test.go @@ -122,7 +122,7 @@ func configBasic(projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, aw %[8]s `, projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, awsIAMRoleName, awsIAMRolePolicyName, - awsIAMroleAuthAndS3Config(), pushBasedLogExportConfig(false, usePrefixPath, prefixPath)) + awsIAMroleAuthAndS3Config(s3BucketName1, s3BucketName2), pushBasedLogExportConfig(false, usePrefixPath, prefixPath)) return test } @@ -141,7 +141,7 @@ func configBasicUpdated(projectID, s3BucketName1, s3BucketName2, s3BucketPolicyN %[8]s `, projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, awsIAMRoleName, awsIAMRolePolicyName, - awsIAMroleAuthAndS3Config(), pushBasedLogExportConfig(true, usePrefixPath, prefixPath)) // updating the S3 bucket to use for push-based log config + awsIAMroleAuthAndS3Config(s3BucketName1, s3BucketName2), pushBasedLogExportConfig(true, usePrefixPath, prefixPath)) // updating the S3 bucket to use for push-based log config return test } @@ -184,8 +184,10 @@ func pushBasedLogExportDataSourceConfig() string { // awsIAMroleAuthAndS3Config returns config for required IAM roles and authorizes them (sets up cloud provider access) with a mongodbatlas_project // This method also creates two S3 buckets and sets up required access policy for them -func awsIAMroleAuthAndS3Config() string { - return ` +func awsIAMroleAuthAndS3Config(firstBucketName, secondBucketName string) string { + firstBucketResourceName := "arn:aws:s3:::" + firstBucketName + secondBucketResourceName := "arn:aws:s3:::" + secondBucketName + return fmt.Sprintf(` // Create IAM role & policy to authorize with Atlas resource "aws_iam_role_policy" "test_policy" { name = local.aws_iam_role_policy_name @@ -197,8 +199,20 @@ resource "aws_iam_role_policy" "test_policy" { "Statement": [ { "Effect": "Allow", - "Action": "*", - "Resource": "*" + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetObjectVersion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + %[1]q, + %[2]q + ] } ] } @@ -291,7 +305,7 @@ resource "aws_iam_role_policy" "s3_bucket_policy" { } EOF } - ` + `, firstBucketResourceName, secondBucketResourceName) } func checkDestroy(state *terraform.State) error { diff --git a/scripts/generate-credentials-with-sts-assume-role.sh b/scripts/generate-credentials-with-sts-assume-role.sh index ace65dc596..38de0bce99 100755 --- a/scripts/generate-credentials-with-sts-assume-role.sh +++ b/scripts/generate-credentials-with-sts-assume-role.sh @@ -4,7 +4,6 @@ set -Eeou pipefail # This script uses aws sts assume-role to generate temporary credentials # and outputs them in $GITHUB_OUTPUT so those can be used in other workflow jobs. -# role-arn = arn:aws:iam::358363220050:role/terraform-provider-mongodbatlas-acceptancetests # Define a function to convert a string to lowercase function to_lowercase() {