New Resource: aws_iam_service_linked_role #2985
Conversation
Ninir
added
enhancement
|
We've encountered the same issue with AWS swapping to service roles -- could this get merged soon? Thanks @robinjoseph08 @apparentlymart ! |
|
This is required to setup spot instances fleet for batch... |
|
|
||
| _, err := conn.CreateServiceLinkedRole(params) | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
I would suggest checking to see if the role already exists before creating it or handling the conflict error with something like
d.SetId(serviceName)
if _, err := conn.CreateServiceLinkedRole(params); err != nil {
aerr, ok := err.(awserr.Error)
if ok && strings.Contains(aerr.Message(), "already taken") {
if rerr := resourceAwsIamServiceLinkedRoleRead(d, meta); err != nil {
return rerr
}
}
if d.Id() == "" || !ok {
return fmt.Errorf("Error creating service-linked role with name %s", serviceName)
}
}
return nilOtherwise, this will not apply cleanly on an account where the role already exist and is being used to scale production resources.
There was a problem hiding this comment.
Could we instead just import that role since you can only have one global IAM service linked role?
There was a problem hiding this comment.
Hi @robinjoseph08 thanks for this contribution and sorry for the delays in getting it reviewed. 😅 Can you please see the feedback below and let us know if you have any questions or do not have time to complete them? Thank you!
| } | ||
|
|
||
| if resp == nil || len(resp.Roles) == 0 { | ||
| d.SetId("") |
There was a problem hiding this comment.
Can you please add logging before this? log.Printf("[WARN] IAM service linked role %s not found, removing from state", d.Id())
| return fmt.Errorf("Error creating service-linked role with name %s", serviceName) | ||
| } | ||
|
|
||
| d.SetId(serviceName) |
There was a problem hiding this comment.
We should set this to the role ARN so we can utilize GetRole instead of the unsafe ListRoles (you can have multiple service linked roles for the same service when created with CustomSuffix)
There was a problem hiding this comment.
@bflad Not sure if I'm just missing something, but it doesn't look like you can use the ARN with GetRole, just the role name. Should I use the role name as the Id? That doesn't seem right either, but that is what aws_iam_role does. Should I do what you mention for the DeleteServiceLinkedRole call and just parse the role name out of the ARN?
| return nil | ||
| } | ||
|
|
||
| role := resp.Roles[0] |
There was a problem hiding this comment.
Services can have multiple linked roles with custom suffixes, we should switch the read logic to GetRole 👍
| name := d.Get("name").(string) | ||
|
|
||
| params := &iam.DeleteServiceLinkedRoleInput{ | ||
| RoleName: aws.String(name), |
There was a problem hiding this comment.
When d.SetId() is updated, d.Id() should contain the ARN we can parse for the name. 👍
| deletionTaskId := *resp.DeletionTaskId | ||
|
|
||
| stateConf := &resource.StateChangeConf{ | ||
| Pending: []string{"IN_PROGRESS", "NOT_STARTED"}, |
There was a problem hiding this comment.
Minor nitpick: can you please switch these to the SDK constants? e.g. iam. DeletionTaskStatusTypeInProgress
|
|
||
| resp, err := conn.ListRoles(params) | ||
|
|
||
| if err != nil || resp == nil { |
There was a problem hiding this comment.
This logic will currently ignore errors like PermissionDenied. It should return all errors except on isAWSErr(err, iam.ErrCodeNoSuchEntityException, "")
| } | ||
|
|
||
| conn := testAccProvider.Meta().(*AWSClient).iamconn | ||
| service_name := rs.Primary.ID |
There was a problem hiding this comment.
Same deal here with the ARN as above 👍
|
|
||
| The following arguments are supported: | ||
|
|
||
| * `aws_service_name` - (Required, Forces new resource) The AWS service to which this role is attached. You use a string similar to a URL but without the `http://` in front. For example: `elasticbeanstalk.amazonaws.com` |
There was a problem hiding this comment.
We should probably link to documentation about where to find these names here. 😄
There was a problem hiding this comment.
I couldn't seem to find a list of all of the service domains, but the closest thing I found was this. Do you think it's sufficient?
| "github.com/hashicorp/terraform/terraform" | ||
| ) | ||
|
|
||
| func TestAccAwsIamServiceLinkedRole(t *testing.T) { |
There was a problem hiding this comment.
Please rename this to TestAccAWSIAMServiceLinkedRole_basic. It should also have a test step for testing import (I'll note below)
| Config: fmt.Sprintf(testAccAwsIamServiceLinkedRoleConfig, "elasticbeanstalk.amazonaws.com"), | ||
| Check: testAccCheckAwsIamServiceLinkedRoleExists("aws_iam_service_linked_role.test"), | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Missing import TestStep:
{
ResourceName: "aws_iam_service_linked_role.test",
ImportState: true,
ImportStateVerify: true,
},
bflad
added
the
waiting-response
|
@robinjoseph08 can you take a look at the feedback above please or let us know if you cannot work on this? |
|
Thanks for the feedback all! I'll make the changes this weekend. |
ghost
added
the
|
@bflad updated with your requested changes, but I had a few questions to make sure I'm doing it as you expected. Let me know if there's anything else! |
| resp, err := conn.CreateServiceLinkedRole(params) | ||
|
|
||
| if err != nil { | ||
| return fmt.Errorf("Error creating service-linked role with name %s", serviceName) |
There was a problem hiding this comment.
We should return the error messages here and on deletion 😄 I will fix post-merge.
bflad
removed
the
waiting-response
|
This has been released in version 1.15.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fixes #921