From 1416ac5e071a578b036103dcfe71403022f2ceb8 Mon Sep 17 00:00:00 2001 From: Michael Li Date: Thu, 25 Apr 2024 11:59:45 -0400 Subject: [PATCH] test(e2e): Add module for iam user with credential rotation support (#4718) --- enos/modules/aws_iam_setup/main.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/enos/modules/aws_iam_setup/main.tf b/enos/modules/aws_iam_setup/main.tf index 5088d56764..29a756eb32 100644 --- a/enos/modules/aws_iam_setup/main.tf +++ b/enos/modules/aws_iam_setup/main.tf @@ -5,6 +5,12 @@ data "aws_caller_identity" "current" {} variable "test_id" {} variable "test_email" {} +variable "enable_credential_rotation" { + description = "Sets up the IAM user to support the use of credential rotation in Boundary" + type = bool + default = false +} + locals { # Use the AWS provided email if users are running this, override with variable for CI @@ -15,6 +21,9 @@ resource "aws_iam_user" "boundary" { name = "demo-${local.user_email}-${var.test_id}" tags = { boundary-demo = local.user_email } permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/DemoUser" + # If credential rotation is used, this is necessary to delete the user since a new access + # key will be generated. + force_destroy = var.enable_credential_rotation ? true : false } resource "aws_iam_user_policy" "boundary" { @@ -34,6 +43,27 @@ resource "aws_iam_user_policy" "boundary" { }) } +resource "aws_iam_user_policy" "rotate_keys" { + count = var.enable_credential_rotation ? 1 : 0 + name = "boundary_e2e_${var.test_id}_rotate_keys" + user = aws_iam_user.boundary.name + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "iam:DeleteAccessKey", + "iam:GetUser", + "iam:CreateAccessKey" + ], + "Effect" : "Allow", + "Resource" : "${aws_iam_user.boundary.arn}", + } + ] + }) +} + + resource "aws_iam_access_key" "boundary" { user = aws_iam_user.boundary.name }