Implementing aws_ami_launch_permission.

hashicorp · Jun 27, 2016 · 7837786 · 7837786
1 parent b68eca5
commit 7837786
Show file tree

Hide file tree

Showing 5 changed files with 277 additions and 0 deletions.
diff --git a/builtin/providers/aws/provider.go b/builtin/providers/aws/provider.go
@@ -121,6 +121,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_ami":                                      resourceAwsAmi(),
 			"aws_ami_copy":                                 resourceAwsAmiCopy(),
 			"aws_ami_from_instance":                        resourceAwsAmiFromInstance(),
+			"aws_ami_launch_permission":                    resourceAwsAmiLaunchPermission(),
 			"aws_api_gateway_account":                      resourceAwsApiGatewayAccount(),
 			"aws_api_gateway_api_key":                      resourceAwsApiGatewayApiKey(),
 			"aws_api_gateway_authorizer":                   resourceAwsApiGatewayAuthorizer(),

diff --git a/builtin/providers/aws/resource_aws_ami_launch_permission.go b/builtin/providers/aws/resource_aws_ami_launch_permission.go
@@ -0,0 +1,104 @@
+package aws
+
+import (
+	"fmt"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsAmiLaunchPermission() *schema.Resource {
+	return &schema.Resource{
+		Exists: resourceAwsAmiLaunchPermissionExists,
+		Create: resourceAwsAmiLaunchPermissionCreate,
+		Read:   resourceAwsAmiLaunchPermissionRead,
+		Delete: resourceAwsAmiLaunchPermissionDelete,
+
+		Schema: map[string]*schema.Schema{
+			"image_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"account_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsAmiLaunchPermissionExists(d *schema.ResourceData, meta interface{}) (bool, error) {
+	conn := meta.(*AWSClient).ec2conn
+
+	image_id := d.Get("image_id").(string)
+	account_id := d.Get("account_id").(string)
+	return hasLaunchPermission(conn, image_id, account_id)
+}
+
+func resourceAwsAmiLaunchPermissionCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ec2conn
+
+	image_id := d.Get("image_id").(string)
+	account_id := d.Get("account_id").(string)
+
+	_, err := conn.ModifyImageAttribute(&ec2.ModifyImageAttributeInput{
+		ImageId:   aws.String(image_id),
+		Attribute: aws.String("launchPermission"),
+		LaunchPermission: &ec2.LaunchPermissionModifications{
+			Add: []*ec2.LaunchPermission{
+				&ec2.LaunchPermission{UserId: aws.String(account_id)},
+			},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("error creating ami launch permission: %s", err)
+	}
+
+	d.SetId(fmt.Sprintf("%s-%s", image_id, account_id))
+	return nil
+}
+
+func resourceAwsAmiLaunchPermissionRead(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
+func resourceAwsAmiLaunchPermissionDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ec2conn
+
+	image_id := d.Get("image_id").(string)
+	account_id := d.Get("account_id").(string)
+
+	_, err := conn.ModifyImageAttribute(&ec2.ModifyImageAttributeInput{
+		ImageId:   aws.String(image_id),
+		Attribute: aws.String("launchPermission"),
+		LaunchPermission: &ec2.LaunchPermissionModifications{
+			Remove: []*ec2.LaunchPermission{
+				&ec2.LaunchPermission{UserId: aws.String(account_id)},
+			},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("error removing ami launch permission: %s", err)
+	}
+
+	return nil
+}
+
+func hasLaunchPermission(conn *ec2.EC2, image_id string, account_id string) (bool, error) {
+	attrs, err := conn.DescribeImageAttribute(&ec2.DescribeImageAttributeInput{
+		ImageId:   aws.String(image_id),
+		Attribute: aws.String("launchPermission"),
+	})
+	if err != nil {
+		return false, err
+	}
+
+	for _, lp := range attrs.LaunchPermissions {
+		if *lp.UserId == account_id {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/builtin/providers/aws/resource_aws_ami_launch_permission_test.go b/builtin/providers/aws/resource_aws_ami_launch_permission_test.go
@@ -0,0 +1,136 @@
+package aws
+
+import (
+	"fmt"
+	"github.com/aws/aws-sdk-go/service/sts"
+	r "github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+	"testing"
+)
+
+type testLaunchPermission struct {
+	ImageID   string
+	AccountID string
+}
+
+func TestAccAWSAMILaunchPermission_Basic(t *testing.T) {
+	tlp := &testLaunchPermission{}
+	r.Test(t, r.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			conn := testAccProvider.Meta().(*AWSClient).stsconn
+			res, err := conn.GetCallerIdentity(&sts.GetCallerIdentityInput{})
+			if err != nil {
+				t.Fatalf("could not initialize ami launch permission test: %s", err)
+			}
+			tlp.AccountID = *res.Account
+		},
+		Providers: testAccProviders,
+		Steps: []r.TestStep{
+			r.TestStep{
+				Config: testAccAWSAMILaunchPermissionConfig(tlp),
+				Check: r.ComposeTestCheckFunc(
+					testCheckResourceGetAttr("aws_ami_from_instance", "id", &tlp.AccountID),
+					testAccAWSAMILaunchPermissionExists(tlp),
+				),
+			},
+		},
+		CheckDestroy: testAccAWSAMILaunchPermissionDestroyed(tlp),
+	})
+}
+
+func testCheckResourceGetAttr(name, key string, value *string) r.TestCheckFunc {
+	return func(s *terraform.State) error {
+		ms := s.RootModule()
+		rs, ok := ms.Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		is := rs.Primary
+		if is == nil {
+			return fmt.Errorf("No primary instance: %s", name)
+		}
+
+		*value = is.Attributes[key]
+		return nil
+	}
+}
+
+func testAccAWSAMILaunchPermissionExists(tlp *testLaunchPermission) r.TestCheckFunc {
+	return func(s *terraform.State) error {
+		conn := testAccProvider.Meta().(*AWSClient).ec2conn
+		if has, err := hasLaunchPermission(conn, tlp.ImageID, tlp.AccountID); err != nil {
+			return err
+		} else if !has {
+			return fmt.Errorf("launch permission does not exist for '%s' on '%s'", tlp.AccountID, tlp.ImageID)
+		}
+		return nil
+	}
+}
+
+func testAccAWSAMILaunchPermissionDestroyed(tlp *testLaunchPermission) r.TestCheckFunc {
+	return func(s *terraform.State) error {
+		conn := testAccProvider.Meta().(*AWSClient).ec2conn
+		if has, err := hasLaunchPermission(conn, tlp.ImageID, tlp.AccountID); err != nil {
+			return err
+		} else if has {
+			return fmt.Errorf("launch permission still exists for '%s' on '%s'", tlp.AccountID, tlp.ImageID)
+		}
+		return nil
+	}
+}
+
+func testAccAWSAMILaunchPermissionConfig(tlp *testLaunchPermission) string {
+	return fmt.Sprintf(`
+provider "aws" {
+	region = "us-east-1"
+}
+
+// We don't have an AMI to use, so we can scaffold one on-the-fly
+//  - Spin up an EC2 instance based on a public AMI
+//  - Create an AMI by snapshotting that EC2 instance, using
+//    aws_ami_from_instance .
+//  - Attach aws_ami_launch_permission to resulting AMI
+//
+// Thus this test can only succeed if the aws_ami_from_instance resource
+// is working. If it's misbehaving it will likely cause this test to fail too.
+
+// Since we're booting a t2.micro HVM instance we need a VPC for it to boot
+// up into.
+
+resource "aws_vpc" "foo" {
+	cidr_block = "10.2.0.0/16"
+}
+
+resource "aws_subnet" "foo" {
+	cidr_block = "10.2.1.0/24"
+	vpc_id = "${aws_vpc.foo.id}"
+}
+
+resource "aws_instance" "test" {
+    // This AMI has one block device mapping, so we expect to have
+    // one snapshot in our created AMI.
+    // This is an Ubuntu Linux HVM AMI. A public HVM AMI is required
+    // because paravirtual images cannot be copied between accounts.
+    ami = "ami-0f8bce65"
+    instance_type = "t2.micro"
+    tags {
+        Name = "terraform-acc-ami-launch-permission-victim"
+    }
+
+    subnet_id = "${aws_subnet.foo.id}"
+}
+
+resource "aws_ami_from_instance" "test" {
+    name = "terraform-acc-ami-launch-permission-victim"
+    description = "Testing Terraform aws_ami_from_instance resource"
+    source_instance_id = "${aws_instance.test.id}"
+}
+
+resource "aws_ami_launch_permission" "self-test" {
+    image_id   = "${aws_ami_from_instance.test.id}"
+    account_id = "%s"
+}
+`, tlp.AccountID)
+}
diff --git a/website/source/docs/providers/aws/r/ami.html.markdown b/website/source/docs/providers/aws/r/ami.html.markdown
@@ -14,6 +14,9 @@ The AMI resource allows the creation and management of a completely-custom
 If you just want to duplicate an existing AMI, possibly copying it to another
 region, it's better to use `aws_ami_copy` instead.
 
+If you just want to share an existing AMI with another AWS account,
+it's better to use `aws_ami_launch_permission` instead.
+
 ## Example Usage
 
 ```

diff --git a/website/source/docs/providers/aws/r/ami_launch_permission.html.markdown b/website/source/docs/providers/aws/r/ami_launch_permission.html.markdown
@@ -0,0 +1,33 @@
+---
+layout: "aws"
+page_title: "AWS: aws_ami_launch_permission"
+sidebar_current: "docs-aws-resource-ami-launch-permission"
+description: |-
+  Adds launch permission to Amazon Machine Image (AMI).
+---
+
+# aws\_ami\_launch\_permission
+
+Adds launch permission to Amazon Machine Image (AMI) from another AWS account.
+
+## Example Usage
+
+```
+resource "aws_ami_launch_permission" "example" {
+    image_id   = "ami-12345678"
+    account_id = "123456789012"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+  * `image_id` - (required) A region-unique name for the AMI.
+  * `account_id` - (required) An AWS Account ID to add launch permissions.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+  * `id` - A combination of "`image_id`-`account_id`".