mongodb · marcosuma · May 2, 2024 · Apr 29, 2024 · Apr 29, 2024 · Apr 30, 2024
@@ -790,7 +790,7 @@ func configExportPolicies(info *acc.ClusterInfo, policyName, roleName, awsAccess
 					"Version": "2012-10-17",
 					"Statement": [
 					{
-						"Effect": "Allow",
+						"Effect": "Deny",
 						"Action": "*",
 						"Resource": "*"
 					}

@@ -75,7 +75,7 @@ resource "aws_iam_role_policy" "test_policy" {
     "Version": "2012-10-17",
     "Statement": [
       {
-        "Effect": "Allow",
+        "Effect": "Deny",
 		"Action": "*",
 		"Resource": "*"
       }

@@ -46,7 +46,7 @@ resource "aws_iam_role_policy" "test_policy" {
     "Version": "2012-10-17",
     "Statement": [
       {
-        "Effect": "Allow",
+        "Effect": "Deny",
 		"Action": "*",
 		"Resource": "*"
       }

@@ -54,7 +54,6 @@ func TestAccFederatedDatabaseInstanceDS_s3Bucket(t *testing.T) {
 		policyName        = acc.RandomName()
 		roleName          = acc.RandomIAMRole()
 		testS3Bucket      = os.Getenv("AWS_S3_BUCKET")
-		region            = "VIRGINIA_USA"
 		federatedInstance = admin.DataLakeTenant{}
 	)
 
@@ -65,7 +64,7 @@ func TestAccFederatedDatabaseInstanceDS_s3Bucket(t *testing.T) {
 			{
 				ExternalProviders:        acc.ExternalProvidersOnlyAWS(),
 				ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
-				Config:                   configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, region),
+				Config:                   configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket),
 				Check: resource.ComposeTestCheckFunc(
 					checkExists(resourceName, &federatedInstance),
 					checkAttributes(&federatedInstance, name),
@@ -105,8 +104,9 @@ func checkAttributes(dataFederatedInstance *admin.DataLakeTenant, name string) r
 	}
 }
 
-func configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, dataLakeRegion string) string {
+func configDSWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket string) string {
 	stepConfig := configDSFirstStepS3Bucket(name, testS3Bucket)
+	bucketResourceName := "arn:aws:s3:::" + testS3Bucket
 	return fmt.Sprintf(`
 resource "aws_iam_role_policy" "test_policy" {
   name = %[1]q
@@ -116,11 +116,20 @@ resource "aws_iam_role_policy" "test_policy" {
   {
     "Version": "2012-10-17",
     "Statement": [
-      {
-        "Effect": "Allow",
-		"Action": "*",
-		"Resource": "*"
-      }
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:GetObject",
+				"s3:ListBucket",
+				"s3:GetObjectVersion"
+			],
+			"Resource": "*"
+		},
+		{
+			"Effect": "Allow",
+			"Action": "s3:*",
+			"Resource": %[6]q
+		}
     ]
   }
   EOF
@@ -170,8 +179,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
    }
 }
 
-%s
-	`, policyName, roleName, projectName, orgID, stepConfig)
+%[5]s
+	`, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName)
 }
 func configDSFirstStepS3Bucket(name, testS3Bucket string) string {
 	return fmt.Sprintf(`

@@ -19,7 +19,6 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) {
 		policyName   = acc.RandomName()
 		roleName     = acc.RandomIAMRole()
 		testS3Bucket = os.Getenv("AWS_S3_BUCKET")
-		region       = "VIRGINIA_USA"
 	)
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -29,7 +28,7 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) {
 			{
 				ExternalProviders:        acc.ExternalProvidersOnlyAWS(),
 				ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
-				Config:                   configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket, region),
+				Config:                   configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet(resourceName, "project_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "results.#"),
@@ -39,8 +38,9 @@ func TestAccFederatedDatabaseInstanceDSPlural_basic(t *testing.T) {
 	})
 }
 
-func configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket, dataLakeRegion string) string {
+func configDSPlural(policyName, roleName, projectName, orgID, firstName, secondName, testS3Bucket string) string {
 	stepConfig := configDSPluralFirstStep(firstName, secondName, testS3Bucket)
+	bucketResourceName := "arn:aws:s3:::" + testS3Bucket
 	return fmt.Sprintf(`
 resource "aws_iam_role_policy" "test_policy" {
   name = %[1]q
@@ -50,11 +50,20 @@ resource "aws_iam_role_policy" "test_policy" {
   {
     "Version": "2012-10-17",
     "Statement": [
-      {
-        "Effect": "Allow",
-		"Action": "*",
-		"Resource": "*"
-      }
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:GetObjectVersion"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": %[6]q
+        }
     ]
   }
   EOF
@@ -104,8 +113,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
    }
 }
 
-%s
-	`, policyName, roleName, projectName, orgID, stepConfig)
+%[5]s
+	`, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName)
 }
 func configDSPluralFirstStep(firstName, secondName, testS3Bucket string) string {
 	return fmt.Sprintf(`

@@ -77,7 +77,6 @@ func TestAccFederatedDatabaseInstance_s3bucket(t *testing.T) {
 		policyName   = acc.RandomName()
 		roleName     = acc.RandomIAMRole()
 		testS3Bucket = os.Getenv("AWS_S3_BUCKET")
-		region       = "VIRGINIA_USA"
 	)
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -87,7 +86,7 @@ func TestAccFederatedDatabaseInstance_s3bucket(t *testing.T) {
 			{
 				ExternalProviders:        acc.ExternalProvidersOnlyAWS(),
 				ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
-				Config:                   configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, region),
+				Config:                   configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet(resourceName, "project_id"),
 					resource.TestCheckResourceAttr(resourceName, "name", name),
@@ -269,8 +268,9 @@ func importStateIDFunc(resourceName string) resource.ImportStateIdFunc {
 	}
 }
 
-func configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket, dataLakeRegion string) string {
+func configWithS3Bucket(policyName, roleName, projectName, orgID, name, testS3Bucket string) string {
 	stepConfig := configFirstStepS3Bucket(name, testS3Bucket)
+	bucketResourceName := "arn:aws:s3:::" + testS3Bucket
 	return fmt.Sprintf(`
 resource "aws_iam_role_policy" "test_policy" {
   name = %[1]q
@@ -280,11 +280,20 @@ resource "aws_iam_role_policy" "test_policy" {
   {
     "Version": "2012-10-17",
     "Statement": [
-      {
-        "Effect": "Allow",
-		"Action": "*",
-		"Resource": "*"
-      }
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:GetObject",
+				"s3:ListBucket",
+				"s3:GetObjectVersion"
+			],
+			"Resource": "*"
+		},
+		{
+			"Effect": "Allow",
+			"Action": "s3:*",
+			"Resource": %[6]q
+		}
     ]
   }
   EOF
@@ -334,8 +343,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
    }
 }
 
-%s
-	`, policyName, roleName, projectName, orgID, stepConfig)
+%[5]s
+	`, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName)
 }
 
 func configFirstStepS3Bucket(name, testS3Bucket string) string {

@@ -71,6 +71,7 @@ func basicTestCase(tb testing.TB) *resource.TestCase {
 
 func configBasic(policyName, roleName, projectName, orgID, name, testS3Bucket string) string {
 	stepConfig := configFirstStep(name, testS3Bucket)
+	bucketResourceName := "arn:aws:s3:::" + testS3Bucket
 	return fmt.Sprintf(`
 resource "aws_iam_role_policy" "test_policy" {
   name = %[1]q
@@ -80,11 +81,20 @@ resource "aws_iam_role_policy" "test_policy" {
   {
     "Version": "2012-10-17",
     "Statement": [
-      {
-        "Effect": "Allow",
-		"Action": "*",
-		"Resource": "*"
-      }
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:GetObjectVersion"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": %[6]q
+        }
     ]
   }
   EOF
@@ -134,8 +144,8 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
    }
 }
 
-%s
-	`, policyName, roleName, projectName, orgID, stepConfig)
+%[5]s
+    `, policyName, roleName, projectName, orgID, stepConfig, bucketResourceName)
 }
 
 func configFirstStep(name, testS3Bucket string) string {
@@ -214,7 +224,7 @@ data "mongodbatlas_federated_query_limits" "test" {
 	project_id = mongodbatlas_project.test_project.id
 	tenant_name = mongodbatlas_federated_database_instance.db_instance.name
 }
-	`, name, testS3Bucket)
+    `, name, testS3Bucket)
 }
 
 func importStateIDFunc(resourceName string) resource.ImportStateIdFunc {

@@ -122,7 +122,7 @@ func configBasic(projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, aw
 
 			   %[8]s		
 	`, projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, awsIAMRoleName, awsIAMRolePolicyName,
-		awsIAMroleAuthAndS3Config(), pushBasedLogExportConfig(false, usePrefixPath, prefixPath))
+		awsIAMroleAuthAndS3Config(s3BucketName1, s3BucketName2), pushBasedLogExportConfig(false, usePrefixPath, prefixPath))
 	return test
 }
 
@@ -141,7 +141,7 @@ func configBasicUpdated(projectID, s3BucketName1, s3BucketName2, s3BucketPolicyN
 
 			   %[8]s
 	`, projectID, s3BucketName1, s3BucketName2, s3BucketPolicyName, awsIAMRoleName, awsIAMRolePolicyName,
-		awsIAMroleAuthAndS3Config(), pushBasedLogExportConfig(true, usePrefixPath, prefixPath)) // updating the S3 bucket to use for push-based log config
+		awsIAMroleAuthAndS3Config(s3BucketName1, s3BucketName2), pushBasedLogExportConfig(true, usePrefixPath, prefixPath)) // updating the S3 bucket to use for push-based log config
 	return test
 }
 
@@ -184,8 +184,10 @@ func pushBasedLogExportDataSourceConfig() string {
 
 // awsIAMroleAuthAndS3Config returns config for required IAM roles and authorizes them (sets up cloud provider access) with a mongodbatlas_project
 // This method also creates two S3 buckets and sets up required access policy for them
-func awsIAMroleAuthAndS3Config() string {
-	return `
+func awsIAMroleAuthAndS3Config(firstBucketName, secondBucketName string) string {
+	firstBucketResourceName := "arn:aws:s3:::" + firstBucketName
+	secondBucketResourceName := "arn:aws:s3:::" + secondBucketName
+	return fmt.Sprintf(`
 		// Create IAM role & policy to authorize with Atlas
 resource "aws_iam_role_policy" "test_policy" {
   name = local.aws_iam_role_policy_name
@@ -197,8 +199,20 @@ resource "aws_iam_role_policy" "test_policy" {
     "Statement": [
       {
         "Effect": "Allow",
-		"Action": "*",
-		"Resource": "*"
+        "Action": [
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:GetObjectVersion"
+        ],
+        "Resource": "*"
+      },
+      {
+       "Effect": "Allow",
+        "Action": "s3:*",
+        "Resource": [
+          %[1]q,
+          %[2]q
+        ]
       }
     ]
   }
@@ -291,7 +305,7 @@ resource "aws_iam_role_policy" "s3_bucket_policy" {
   }
   EOF
 }
-		`
+		`, firstBucketResourceName, secondBucketResourceName)
 }
 
 func checkDestroy(state *terraform.State) error {

@@ -4,7 +4,6 @@ set -Eeou pipefail
 
 # This script uses aws sts assume-role to generate temporary credentials
 # and outputs them in $GITHUB_OUTPUT so those can be used in other workflow jobs.
-# role-arn = arn:aws:iam::358363220050:role/terraform-provider-mongodbatlas-acceptancetests
 
 # Define a function to convert a string to lowercase
 function to_lowercase() {