INTMDB-256: Fixes a bug for updated a role in cloud access authorizat…

…ion (#567) * fix: migrated aws parameter and fixed a bug with a test * added skip test cred because of aws Co-authored-by: Edgar Lopez <edgarlopez@pop-os.localdomain>
mongodb · Sep 27, 2021 · 3ef0491 · 3ef0491
1 parent 045f03f
commit 3ef0491
Show file tree

Hide file tree

Showing 2 changed files with 148 additions and 1 deletion.
diff --git a/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization.go b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization.go
@@ -56,6 +56,14 @@ func resourceMongoDBAtlasCloudProviderAccessAuthorization() *schema.Resource {
 				Computed: true,
 			},
 		},
+		SchemaVersion: 1,
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Type:    resourceMongoDBAtlasCloudProviderAccessAuthorizationResourceV0().CoreConfigSchema().ImpliedType(),
+				Upgrade: resourceMongoDBAtlasCloudProviderAccessAuthorizationStateUpgradeV0,
+				Version: 0,
+			},
+		},
 	}
 }
 
@@ -190,7 +198,7 @@ func resourceMongoDBAtlasCloudProviderAccessAuthorizationUpdate(ctx context.Cont
 			return diag.FromErr(fmt.Errorf("error CloudProviderAccessAuthorization missing iam_assumed_role_arn"))
 		}
 
-		iamRole := (roleAWS.(map[string]interface{}))["iam_assumed_role_arn"]
+		iamRole := roleAWS.([]interface{})[0].(map[string]interface{})["iam_assumed_role_arn"]
 
 		req := &matlas.CloudProviderAuthorizationRequest{
 			ProviderName:      targetRole.ProviderName,
@@ -276,3 +284,45 @@ func FindRole(ctx context.Context, conn *matlas.Client, projectID, roleID string
 
 	return
 }
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationResourceV0() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"role_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"aws": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"iam_assumed_role_arn": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+			},
+			"feature_usages": {
+				Type:     schema.TypeList,
+				Elem:     featureUsagesSchema(),
+				Computed: true,
+			},
+			"authorized_date": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationStateUpgradeV0(ctx context.Context, rawState map[string]interface{}, meta interface{}) (map[string]interface{}, error) {
+	rawState["aws"] = []interface{}{}
+
+	return rawState, nil
+}
diff --git a/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization_test.go b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization_test.go
@@ -0,0 +1,97 @@
+package mongodbatlas
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccResourceMongoDBAtlasCloudProviderAccessAuthorization_basic(t *testing.T) {
+	SkipTestExtCred(t)
+	var (
+		projectID       = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+		policyName      = acctest.RandomWithPrefix("tf-acc")
+		roleName        = acctest.RandomWithPrefix("tf-acc")
+		roleNameUpdated = acctest.RandomWithPrefix("tf-acc")
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: testAccProviderFactories,
+		// same as regular cloud provider access resource
+		CheckDestroy: testAccCheckMongoDBAtlasProviderAccessDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccMongoDBAtlasCloudProviderAccessAuthorizationConfig(projectID, policyName, roleName),
+			},
+			{
+				Config: testAccMongoDBAtlasCloudProviderAccessAuthorizationConfig(projectID, policyName, roleNameUpdated),
+			},
+		},
+	},
+	)
+}
+
+func testAccMongoDBAtlasCloudProviderAccessAuthorizationConfig(projectID, roleName, policyName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_role_policy" "test_policy" {
+  name = %[2]q
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = %[3]q
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config.0.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config.0.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+  project_id    = %[1]q
+  provider_name = "AWS"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+  project_id = %[1]q
+  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+  aws {
+    iam_assumed_role_arn = aws_iam_role.test_role.arn
+  }
+}
+	`, projectID, policyName, roleName)
+}