From 8b8b66548314f2795fdbe11978dfc5988683899a Mon Sep 17 00:00:00 2001
From: Josh Brand <jbrand@hashicorp.com>
Date: Thu, 4 May 2023 18:16:00 -0400
Subject: [PATCH] chore(e2e): Update CI user for testing (#3203)

---
 .../github-actions-doormat.tf                 | 61 -------------------
 enos/ci/service-user-iam/main.tf              | 21 ++-----
 enos/ci/service-user-iam/outputs.tf           | 15 ++---
 enos/enos-scenario-e2e-static-with-vault.hcl  |  2 +-
 4 files changed, 11 insertions(+), 88 deletions(-)
 delete mode 100644 enos/ci/service-user-iam/github-actions-doormat.tf

diff --git a/enos/ci/service-user-iam/github-actions-doormat.tf b/enos/ci/service-user-iam/github-actions-doormat.tf
deleted file mode 100644
index 40fd3673cf..0000000000
--- a/enos/ci/service-user-iam/github-actions-doormat.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-locals {
-  doormat_service_user_arn = "arn:aws:iam::397512762488:user/doormatServiceUser"
-  // "Github Actions Doormat repositories and qualifiers"
-  // see: https://docs.prod.secops.hashicorp.services/doormat/gha/
-  github_actions_doormat_rwqs = {
-    boundary-enterprise = {
-      ci           = "github.com/hashicorp/boundary-enterprise@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
-      ci-bootstrap = "github.com/hashicorp/boundary-enterprise@event_name=schedule"
-    }
-    boundary-hcp = {
-      ci           = "github.com/hashicorp/boundary-hcp@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
-      ci-bootstrap = "github.com/hashicorp/boundary-hcp@event_name=schedule"
-    }
-  }
-  ent_policies_json = {
-    ci           = data.aws_iam_policy_document.enos_policy_document.json
-    ci-bootstrap = data.aws_iam_policy_document.combined_policy_document.json
-  }
-  repo_github_actions_doormat_rwqs = local.is_ent ? local.github_actions_doormat_rwqs[var.repository] : {}
-}
-
-// Doormat Github Actions assume policy
-data "aws_iam_policy_document" "github_actions_doormat_assume" {
-  count = local.is_ent ? 1 : 0
-
-  provider = aws.us_east_1
-
-  statement {
-    actions = [
-      "sts:AssumeRole",
-      "sts:SetSourceIdentity",
-      "sts:TagSession"
-    ]
-    principals {
-      type        = "AWS"
-      identifiers = [local.doormat_service_user_arn] # infrasec_prod
-    }
-  }
-}
-
-# Doormat Github Actions roles
-resource "aws_iam_role" "github_actions_doormat_role" {
-  for_each = local.repo_github_actions_doormat_rwqs
-
-  provider = aws.us_east_1
-
-  name = "${var.repository}-GHA-${each.key}"
-  tags = {
-    hc-service-uri = each.value
-  }
-  max_session_duration = 43200
-  assume_role_policy   = data.aws_iam_policy_document.github_actions_doormat_assume[0].json
-
-  inline_policy {
-    name   = "AssumeServiceUserPolicy"
-    policy = local.ent_policies_json[each.key]
-  }
-}
diff --git a/enos/ci/service-user-iam/main.tf b/enos/ci/service-user-iam/main.tf
index 202162be40..4bb30c4e7b 100644
--- a/enos/ci/service-user-iam/main.tf
+++ b/enos/ci/service-user-iam/main.tf
@@ -16,30 +16,24 @@ terraform {
 }
 
 locals {
-  enterprise_repositories = ["boundary-enterprise", "boundary-hcp"]
-  is_ent                  = contains(local.enterprise_repositories, var.repository)
-  service_user            = data.aws_iam_user.service_user.user_name
-  oss_aws_account_id      = "271311691044"
+  service_user = data.aws_iam_user.service_user.user_name
 }
 
+data "aws_caller_identity" "current" {}
 
 data "aws_iam_user" "service_user" {
   # This is the user created in the hashicorp/hc-service-users repo
-  user_name = "github_actions-boundary_ci"
+  user_name = var.repository == "boundary" ? "github_actions-boundary_ci" : "github_actions-boundary_enterprise_ci"
 }
 
 resource "aws_iam_role" "role" {
-  count = local.is_ent ? 0 : 1 // only create a role for the OSS repositories
-
   provider = aws.us_east_1
 
   name               = local.service_user
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document[0].json
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
 }
 
 data "aws_iam_policy_document" "assume_role_policy_document" {
-  count = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
-
   provider = aws.us_east_1
 
   statement {
@@ -48,17 +42,15 @@ data "aws_iam_policy_document" "assume_role_policy_document" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${local.oss_aws_account_id}:user/${local.service_user}"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${local.service_user}"]
     }
   }
 }
 
 resource "aws_iam_role_policy" "role_policy" {
-  count = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
-
   provider = aws.us_east_1
 
-  role   = aws_iam_role.role[0].name
+  role   = aws_iam_role.role.name
   name   = "${local.service_user}_policy"
   policy = data.aws_iam_policy_document.combined_policy_document.json
 }
@@ -258,7 +250,6 @@ data "aws_iam_policy_document" "aws_nuke_policy_document" {
 }
 
 resource "aws_iam_policy" "demo_user" {
-  count       = local.is_ent ? 0 : 1 // only create a policy for the OSS repositories
   name        = "BoundaryDemoPermissionsBoundary"
   path        = "/"
   description = "Used to allow temporary IAM user creation for end-to-end tests"
diff --git a/enos/ci/service-user-iam/outputs.tf b/enos/ci/service-user-iam/outputs.tf
index 5911ccaa36..726b8335f0 100644
--- a/enos/ci/service-user-iam/outputs.tf
+++ b/enos/ci/service-user-iam/outputs.tf
@@ -2,16 +2,9 @@
 # SPDX-License-Identifier: MPL-2.0
 
 output "ci_roles" {
-  value = local.is_ent ? [for role in aws_iam_role.github_actions_doormat_role : {
-    name = role.name
-    arn  = role.arn
-    policy = [for policy in role.inline_policy : {
-      name   = policy.name
-      policy = jsondecode(policy.policy)
-    }][0]
-    }] : [{
-    name   = aws_iam_role.role[0].name
-    arn    = aws_iam_role.role[0].arn
-    policy = aws_iam_role_policy.role_policy[0].policy
+  value = [{
+    name   = aws_iam_role.role.name
+    arn    = aws_iam_role.role.arn
+    policy = aws_iam_role_policy.role_policy.policy
   }]
 }
diff --git a/enos/enos-scenario-e2e-static-with-vault.hcl b/enos/enos-scenario-e2e-static-with-vault.hcl
index 1b6084a982..fdb6c57e4b 100644
--- a/enos/enos-scenario-e2e-static-with-vault.hcl
+++ b/enos/enos-scenario-e2e-static-with-vault.hcl
@@ -16,7 +16,7 @@ scenario "e2e_static_with_vault" {
   locals {
     aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path)
     boundary_install_dir     = abspath(var.boundary_install_dir)
-    boundary_license_path    = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic"))
+    license_path             = abspath(var.boundary_license_path != null ? var.boundary_license_path : joinpath(path.root, "./support/boundary.hclic"))
     local_boundary_dir       = abspath(var.local_boundary_dir)
     build_path = {
       "local" = "/tmp",