github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_emr_cluster_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "log" 6 "reflect" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/emr" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/terraform" 15 ) 16 17 func TestAccAWSEMRCluster_basic(t *testing.T) { 18 var cluster emr.Cluster 19 r := acctest.RandInt() 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckAWSEmrDestroy, 24 Steps: []resource.TestStep{ 25 { 26 Config: testAccAWSEmrClusterConfig(r), 27 Check: testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 28 }, 29 }, 30 }) 31 } 32 33 func TestAccAWSEMRCluster_bootstrap_ordering(t *testing.T) { 34 var cluster emr.Cluster 35 rName := acctest.RandomWithPrefix("tf-emr-bootstrap") 36 argsInts := []string{ 37 "1", 38 "2", 39 "3", 40 "4", 41 "5", 42 "6", 43 "7", 44 "8", 45 "9", 46 "10", 47 } 48 49 argsStrings := []string{ 50 "instance.isMaster=true", 51 "echo running on master node", 52 } 53 54 resource.Test(t, resource.TestCase{ 55 PreCheck: func() { testAccPreCheck(t) }, 56 Providers: testAccProviders, 57 CheckDestroy: testAccCheckAWSEmrDestroy, 58 Steps: []resource.TestStep{ 59 { 60 Config: testAccAWSEmrClusterConfig_bootstrap(rName), 61 Check: resource.ComposeTestCheckFunc( 62 testAccCheckAWSEmrClusterExists("aws_emr_cluster.test", &cluster), 63 testAccCheck_bootstrap_order(&cluster, argsInts, argsStrings), 64 ), 65 }, 66 }, 67 }) 68 } 69 70 func TestAccAWSEMRCluster_terminationProtected(t *testing.T) { 71 var cluster emr.Cluster 72 r := acctest.RandInt() 73 resource.Test(t, resource.TestCase{ 74 PreCheck: func() { testAccPreCheck(t) }, 75 Providers: testAccProviders, 76 CheckDestroy: testAccCheckAWSEmrDestroy, 77 Steps: []resource.TestStep{ 78 { 79 Config: testAccAWSEmrClusterConfig(r), 80 Check: resource.ComposeTestCheckFunc( 81 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 82 resource.TestCheckResourceAttr( 83 "aws_emr_cluster.tf-test-cluster", "termination_protection", "false"), 84 ), 85 }, 86 { 87 Config: testAccAWSEmrClusterConfigTerminationPolicyUpdated(r), 88 Check: resource.ComposeTestCheckFunc( 89 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 90 resource.TestCheckResourceAttr( 91 "aws_emr_cluster.tf-test-cluster", "termination_protection", "true"), 92 ), 93 }, 94 { 95 //Need to turn off termination_protection to allow the job to be deleted 96 Config: testAccAWSEmrClusterConfig(r), 97 Check: resource.ComposeTestCheckFunc( 98 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 99 ), 100 }, 101 }, 102 }) 103 } 104 105 func TestAccAWSEMRCluster_visibleToAllUsers(t *testing.T) { 106 var cluster emr.Cluster 107 r := acctest.RandInt() 108 resource.Test(t, resource.TestCase{ 109 PreCheck: func() { testAccPreCheck(t) }, 110 Providers: testAccProviders, 111 CheckDestroy: testAccCheckAWSEmrDestroy, 112 Steps: []resource.TestStep{ 113 { 114 Config: testAccAWSEmrClusterConfig(r), 115 Check: resource.ComposeTestCheckFunc( 116 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 117 resource.TestCheckResourceAttr( 118 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "true"), 119 ), 120 }, 121 { 122 Config: testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r), 123 Check: resource.ComposeTestCheckFunc( 124 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 125 resource.TestCheckResourceAttr( 126 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "false"), 127 ), 128 }, 129 }, 130 }) 131 } 132 133 func TestAccAWSEMRCluster_tags(t *testing.T) { 134 var cluster emr.Cluster 135 r := acctest.RandInt() 136 resource.Test(t, resource.TestCase{ 137 PreCheck: func() { testAccPreCheck(t) }, 138 Providers: testAccProviders, 139 CheckDestroy: testAccCheckAWSEmrDestroy, 140 Steps: []resource.TestStep{ 141 { 142 Config: testAccAWSEmrClusterConfig(r), 143 Check: resource.ComposeTestCheckFunc( 144 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 145 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "4"), 146 resource.TestCheckResourceAttr( 147 "aws_emr_cluster.tf-test-cluster", "tags.role", "rolename"), 148 resource.TestCheckResourceAttr( 149 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "env_zone"), 150 resource.TestCheckResourceAttr( 151 "aws_emr_cluster.tf-test-cluster", "tags.env", "env"), 152 resource.TestCheckResourceAttr( 153 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env")), 154 }, 155 { 156 Config: testAccAWSEmrClusterConfigUpdatedTags(r), 157 Check: resource.ComposeTestCheckFunc( 158 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 159 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "3"), 160 resource.TestCheckResourceAttr( 161 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "new_zone"), 162 resource.TestCheckResourceAttr( 163 "aws_emr_cluster.tf-test-cluster", "tags.Env", "production"), 164 resource.TestCheckResourceAttr( 165 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env"), 166 ), 167 }, 168 }, 169 }) 170 } 171 172 func testAccCheck_bootstrap_order(cluster *emr.Cluster, argsInts, argsStrings []string) resource.TestCheckFunc { 173 return func(s *terraform.State) error { 174 175 emrconn := testAccProvider.Meta().(*AWSClient).emrconn 176 req := emr.ListBootstrapActionsInput{ 177 ClusterId: cluster.Id, 178 } 179 180 resp, err := emrconn.ListBootstrapActions(&req) 181 if err != nil { 182 return fmt.Errorf("[ERR] Error listing boostrap actions in test: %s", err) 183 } 184 185 // make sure we actually checked something 186 var ran bool 187 for _, ba := range resp.BootstrapActions { 188 // assume name matches the config 189 rArgs := aws.StringValueSlice(ba.Args) 190 if *ba.Name == "test" { 191 ran = true 192 if !reflect.DeepEqual(argsInts, rArgs) { 193 return fmt.Errorf("Error matching Bootstrap args:\n\texpected: %#v\n\tgot: %#v", argsInts, rArgs) 194 } 195 } else if *ba.Name == "runif" { 196 ran = true 197 if !reflect.DeepEqual(argsStrings, rArgs) { 198 return fmt.Errorf("Error matching Bootstrap args:\n\texpected: %#v\n\tgot: %#v", argsStrings, rArgs) 199 } 200 } 201 } 202 203 if !ran { 204 return fmt.Errorf("Expected to compare bootstrap actions, but no checks were ran") 205 } 206 207 return nil 208 } 209 } 210 211 func testAccCheckAWSEmrDestroy(s *terraform.State) error { 212 conn := testAccProvider.Meta().(*AWSClient).emrconn 213 214 for _, rs := range s.RootModule().Resources { 215 if rs.Type != "aws_emr_cluster" { 216 continue 217 } 218 219 params := &emr.DescribeClusterInput{ 220 ClusterId: aws.String(rs.Primary.ID), 221 } 222 223 describe, err := conn.DescribeCluster(params) 224 225 if err == nil { 226 if describe.Cluster != nil && 227 *describe.Cluster.Status.State == "WAITING" { 228 return fmt.Errorf("EMR Cluster still exists") 229 } 230 } 231 232 providerErr, ok := err.(awserr.Error) 233 if !ok { 234 return err 235 } 236 237 log.Printf("[ERROR] %v", providerErr) 238 } 239 240 return nil 241 } 242 243 func testAccCheckAWSEmrClusterExists(n string, v *emr.Cluster) resource.TestCheckFunc { 244 return func(s *terraform.State) error { 245 rs, ok := s.RootModule().Resources[n] 246 if !ok { 247 return fmt.Errorf("Not found: %s", n) 248 } 249 if rs.Primary.ID == "" { 250 return fmt.Errorf("No cluster id set") 251 } 252 conn := testAccProvider.Meta().(*AWSClient).emrconn 253 describe, err := conn.DescribeCluster(&emr.DescribeClusterInput{ 254 ClusterId: aws.String(rs.Primary.ID), 255 }) 256 if err != nil { 257 return fmt.Errorf("EMR error: %v", err) 258 } 259 260 if describe.Cluster != nil && 261 *describe.Cluster.Id != rs.Primary.ID { 262 return fmt.Errorf("EMR cluser not found") 263 } 264 265 *v = *describe.Cluster 266 267 if describe.Cluster != nil && 268 *describe.Cluster.Status.State != "WAITING" { 269 return fmt.Errorf("EMR cluser is not up yet") 270 } 271 272 return nil 273 } 274 } 275 276 func testAccAWSEmrClusterConfig_bootstrap(r string) string { 277 return fmt.Sprintf(` 278 resource "aws_emr_cluster" "test" { 279 count = 1 280 name = "%s" 281 release_label = "emr-5.0.0" 282 applications = ["Hadoop", "Hive"] 283 log_uri = "s3n://terraform/testlog/" 284 master_instance_type = "m4.large" 285 core_instance_type = "m1.small" 286 core_instance_count = 1 287 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 288 289 depends_on = ["aws_main_route_table_association.a"] 290 291 ec2_attributes { 292 subnet_id = "${aws_subnet.main.id}" 293 294 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 295 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 296 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 297 } 298 299 bootstrap_action { 300 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 301 name = "runif" 302 args = ["instance.isMaster=true", "echo running on master node"] 303 } 304 305 bootstrap_action = [ 306 { 307 path = "s3://${aws_s3_bucket.tester.bucket}/testscript.sh" 308 name = "test" 309 310 args = ["1", 311 "2", 312 "3", 313 "4", 314 "5", 315 "6", 316 "7", 317 "8", 318 "9", 319 "10", 320 ] 321 }, 322 ] 323 } 324 325 resource "aws_iam_instance_profile" "emr_profile" { 326 name = "%s_profile" 327 role = "${aws_iam_role.iam_emr_profile_role.name}" 328 } 329 330 resource "aws_iam_role" "iam_emr_default_role" { 331 name = "%s_default_role" 332 333 assume_role_policy = <<EOT 334 { 335 "Version": "2008-10-17", 336 "Statement": [ 337 { 338 "Sid": "", 339 "Effect": "Allow", 340 "Principal": { 341 "Service": "elasticmapreduce.amazonaws.com" 342 }, 343 "Action": "sts:AssumeRole" 344 } 345 ] 346 } 347 EOT 348 } 349 350 resource "aws_iam_role" "iam_emr_profile_role" { 351 name = "%s_profile_role" 352 353 assume_role_policy = <<EOT 354 { 355 "Version": "2008-10-17", 356 "Statement": [ 357 { 358 "Sid": "", 359 "Effect": "Allow", 360 "Principal": { 361 "Service": "ec2.amazonaws.com" 362 }, 363 "Action": "sts:AssumeRole" 364 } 365 ] 366 } 367 EOT 368 } 369 370 resource "aws_iam_role_policy_attachment" "profile-attach" { 371 role = "${aws_iam_role.iam_emr_profile_role.id}" 372 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 373 } 374 375 resource "aws_iam_role_policy_attachment" "service-attach" { 376 role = "${aws_iam_role.iam_emr_default_role.id}" 377 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 378 } 379 380 resource "aws_iam_policy" "iam_emr_default_policy" { 381 name = "%s_emr" 382 383 policy = <<EOT 384 { 385 "Version": "2012-10-17", 386 "Statement": [{ 387 "Effect": "Allow", 388 "Resource": "*", 389 "Action": [ 390 "ec2:AuthorizeSecurityGroupEgress", 391 "ec2:AuthorizeSecurityGroupIngress", 392 "ec2:CancelSpotInstanceRequests", 393 "ec2:CreateNetworkInterface", 394 "ec2:CreateSecurityGroup", 395 "ec2:CreateTags", 396 "ec2:DeleteNetworkInterface", 397 "ec2:DeleteSecurityGroup", 398 "ec2:DeleteTags", 399 "ec2:DescribeAvailabilityZones", 400 "ec2:DescribeAccountAttributes", 401 "ec2:DescribeDhcpOptions", 402 "ec2:DescribeInstanceStatus", 403 "ec2:DescribeInstances", 404 "ec2:DescribeKeyPairs", 405 "ec2:DescribeNetworkAcls", 406 "ec2:DescribeNetworkInterfaces", 407 "ec2:DescribePrefixLists", 408 "ec2:DescribeRouteTables", 409 "ec2:DescribeSecurityGroups", 410 "ec2:DescribeSpotInstanceRequests", 411 "ec2:DescribeSpotPriceHistory", 412 "ec2:DescribeSubnets", 413 "ec2:DescribeVpcAttribute", 414 "ec2:DescribeVpcEndpoints", 415 "ec2:DescribeVpcEndpointServices", 416 "ec2:DescribeVpcs", 417 "ec2:DetachNetworkInterface", 418 "ec2:ModifyImageAttribute", 419 "ec2:ModifyInstanceAttribute", 420 "ec2:RequestSpotInstances", 421 "ec2:RevokeSecurityGroupEgress", 422 "ec2:RunInstances", 423 "ec2:TerminateInstances", 424 "ec2:DeleteVolume", 425 "ec2:DescribeVolumeStatus", 426 "iam:GetRole", 427 "iam:GetRolePolicy", 428 "iam:ListInstanceProfiles", 429 "iam:ListRolePolicies", 430 "iam:PassRole", 431 "s3:CreateBucket", 432 "s3:Get*", 433 "s3:List*", 434 "sdb:BatchPutAttributes", 435 "sdb:Select", 436 "sqs:CreateQueue", 437 "sqs:Delete*", 438 "sqs:GetQueue*", 439 "sqs:PurgeQueue", 440 "sqs:ReceiveMessage" 441 ] 442 }] 443 } 444 EOT 445 } 446 447 resource "aws_iam_policy" "iam_emr_profile_policy" { 448 name = "%s_profile" 449 450 policy = <<EOT 451 { 452 "Version": "2012-10-17", 453 "Statement": [{ 454 "Effect": "Allow", 455 "Resource": "*", 456 "Action": [ 457 "cloudwatch:*", 458 "dynamodb:*", 459 "ec2:Describe*", 460 "elasticmapreduce:Describe*", 461 "elasticmapreduce:ListBootstrapActions", 462 "elasticmapreduce:ListClusters", 463 "elasticmapreduce:ListInstanceGroups", 464 "elasticmapreduce:ListInstances", 465 "elasticmapreduce:ListSteps", 466 "kinesis:CreateStream", 467 "kinesis:DeleteStream", 468 "kinesis:DescribeStream", 469 "kinesis:GetRecords", 470 "kinesis:GetShardIterator", 471 "kinesis:MergeShards", 472 "kinesis:PutRecord", 473 "kinesis:SplitShard", 474 "rds:Describe*", 475 "s3:*", 476 "sdb:*", 477 "sns:*", 478 "sqs:*" 479 ] 480 }] 481 } 482 EOT 483 } 484 485 resource "aws_vpc" "main" { 486 cidr_block = "168.31.0.0/16" 487 enable_dns_hostnames = true 488 489 tags { 490 name = "emr_test_cts" 491 } 492 } 493 494 resource "aws_subnet" "main" { 495 vpc_id = "${aws_vpc.main.id}" 496 cidr_block = "168.31.0.0/20" 497 498 tags { 499 name = "emr_test_cts" 500 } 501 } 502 503 resource "aws_internet_gateway" "gw" { 504 vpc_id = "${aws_vpc.main.id}" 505 } 506 507 resource "aws_route_table" "r" { 508 vpc_id = "${aws_vpc.main.id}" 509 510 route { 511 cidr_block = "0.0.0.0/0" 512 gateway_id = "${aws_internet_gateway.gw.id}" 513 } 514 } 515 516 resource "aws_main_route_table_association" "a" { 517 vpc_id = "${aws_vpc.main.id}" 518 route_table_id = "${aws_route_table.r.id}" 519 } 520 521 resource "aws_security_group" "allow_all" { 522 name = "allow_all" 523 description = "Allow all inbound traffic" 524 vpc_id = "${aws_vpc.main.id}" 525 526 ingress { 527 from_port = 0 528 to_port = 0 529 protocol = "-1" 530 cidr_blocks = ["0.0.0.0/0"] 531 } 532 533 egress { 534 from_port = 0 535 to_port = 0 536 protocol = "-1" 537 cidr_blocks = ["0.0.0.0/0"] 538 } 539 540 depends_on = ["aws_subnet.main"] 541 542 lifecycle { 543 ignore_changes = ["ingress", "egress"] 544 } 545 546 tags { 547 name = "emr_test" 548 } 549 } 550 551 output "cluser_id" { 552 value = "${aws_emr_cluster.test.id}" 553 } 554 555 resource "aws_s3_bucket" "tester" { 556 bucket = "%s" 557 acl = "public-read" 558 } 559 560 resource "aws_s3_bucket_object" "testobject" { 561 bucket = "${aws_s3_bucket.tester.bucket}" 562 key = "testscript.sh" 563 564 #source = "testscript.sh" 565 content = "${data.template_file.testscript.rendered}" 566 acl = "public-read" 567 } 568 569 data "template_file" "testscript" { 570 template = <<POLICY 571 #!/bin/bash 572 573 echo $@ 574 POLICY 575 }`, r, r, r, r, r, r, r) 576 } 577 578 func testAccAWSEmrClusterConfig(r int) string { 579 return fmt.Sprintf(` 580 provider "aws" { 581 region = "us-west-2" 582 } 583 584 resource "aws_emr_cluster" "tf-test-cluster" { 585 name = "emr-test-%d" 586 release_label = "emr-4.6.0" 587 applications = ["Spark"] 588 589 ec2_attributes { 590 subnet_id = "${aws_subnet.main.id}" 591 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 592 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 593 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 594 } 595 596 master_instance_type = "m3.xlarge" 597 core_instance_type = "m3.xlarge" 598 core_instance_count = 1 599 600 tags { 601 role = "rolename" 602 dns_zone = "env_zone" 603 env = "env" 604 name = "name-env" 605 } 606 607 keep_job_flow_alive_when_no_steps = true 608 termination_protection = false 609 610 bootstrap_action { 611 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 612 name = "runif" 613 args = ["instance.isMaster=true", "echo running on master node"] 614 } 615 616 configurations = "test-fixtures/emr_configurations.json" 617 618 depends_on = ["aws_main_route_table_association.a"] 619 620 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 621 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 622 } 623 624 resource "aws_security_group" "allow_all" { 625 name = "allow_all_%d" 626 description = "Allow all inbound traffic" 627 vpc_id = "${aws_vpc.main.id}" 628 629 ingress { 630 from_port = 0 631 to_port = 0 632 protocol = "-1" 633 cidr_blocks = ["0.0.0.0/0"] 634 } 635 636 egress { 637 from_port = 0 638 to_port = 0 639 protocol = "-1" 640 cidr_blocks = ["0.0.0.0/0"] 641 } 642 643 depends_on = ["aws_subnet.main"] 644 645 lifecycle { 646 ignore_changes = ["ingress", "egress"] 647 } 648 649 tags { 650 name = "emr_test" 651 } 652 } 653 654 resource "aws_vpc" "main" { 655 cidr_block = "168.31.0.0/16" 656 enable_dns_hostnames = true 657 658 tags { 659 name = "emr_test_%d" 660 } 661 } 662 663 resource "aws_subnet" "main" { 664 vpc_id = "${aws_vpc.main.id}" 665 cidr_block = "168.31.0.0/20" 666 667 tags { 668 name = "emr_test_%d" 669 } 670 } 671 672 resource "aws_internet_gateway" "gw" { 673 vpc_id = "${aws_vpc.main.id}" 674 } 675 676 resource "aws_route_table" "r" { 677 vpc_id = "${aws_vpc.main.id}" 678 679 route { 680 cidr_block = "0.0.0.0/0" 681 gateway_id = "${aws_internet_gateway.gw.id}" 682 } 683 } 684 685 resource "aws_main_route_table_association" "a" { 686 vpc_id = "${aws_vpc.main.id}" 687 route_table_id = "${aws_route_table.r.id}" 688 } 689 690 ### 691 692 # IAM things 693 694 ### 695 696 # IAM role for EMR Service 697 resource "aws_iam_role" "iam_emr_default_role" { 698 name = "iam_emr_default_role_%d" 699 700 assume_role_policy = <<EOT 701 { 702 "Version": "2008-10-17", 703 "Statement": [ 704 { 705 "Sid": "", 706 "Effect": "Allow", 707 "Principal": { 708 "Service": "elasticmapreduce.amazonaws.com" 709 }, 710 "Action": "sts:AssumeRole" 711 } 712 ] 713 } 714 EOT 715 } 716 717 resource "aws_iam_role_policy_attachment" "service-attach" { 718 role = "${aws_iam_role.iam_emr_default_role.id}" 719 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 720 } 721 722 resource "aws_iam_policy" "iam_emr_default_policy" { 723 name = "iam_emr_default_policy_%d" 724 725 policy = <<EOT 726 { 727 "Version": "2012-10-17", 728 "Statement": [{ 729 "Effect": "Allow", 730 "Resource": "*", 731 "Action": [ 732 "ec2:AuthorizeSecurityGroupEgress", 733 "ec2:AuthorizeSecurityGroupIngress", 734 "ec2:CancelSpotInstanceRequests", 735 "ec2:CreateNetworkInterface", 736 "ec2:CreateSecurityGroup", 737 "ec2:CreateTags", 738 "ec2:DeleteNetworkInterface", 739 "ec2:DeleteSecurityGroup", 740 "ec2:DeleteTags", 741 "ec2:DescribeAvailabilityZones", 742 "ec2:DescribeAccountAttributes", 743 "ec2:DescribeDhcpOptions", 744 "ec2:DescribeInstanceStatus", 745 "ec2:DescribeInstances", 746 "ec2:DescribeKeyPairs", 747 "ec2:DescribeNetworkAcls", 748 "ec2:DescribeNetworkInterfaces", 749 "ec2:DescribePrefixLists", 750 "ec2:DescribeRouteTables", 751 "ec2:DescribeSecurityGroups", 752 "ec2:DescribeSpotInstanceRequests", 753 "ec2:DescribeSpotPriceHistory", 754 "ec2:DescribeSubnets", 755 "ec2:DescribeVpcAttribute", 756 "ec2:DescribeVpcEndpoints", 757 "ec2:DescribeVpcEndpointServices", 758 "ec2:DescribeVpcs", 759 "ec2:DetachNetworkInterface", 760 "ec2:ModifyImageAttribute", 761 "ec2:ModifyInstanceAttribute", 762 "ec2:RequestSpotInstances", 763 "ec2:RevokeSecurityGroupEgress", 764 "ec2:RunInstances", 765 "ec2:TerminateInstances", 766 "ec2:DeleteVolume", 767 "ec2:DescribeVolumeStatus", 768 "ec2:DescribeVolumes", 769 "ec2:DetachVolume", 770 "iam:GetRole", 771 "iam:GetRolePolicy", 772 "iam:ListInstanceProfiles", 773 "iam:ListRolePolicies", 774 "iam:PassRole", 775 "s3:CreateBucket", 776 "s3:Get*", 777 "s3:List*", 778 "sdb:BatchPutAttributes", 779 "sdb:Select", 780 "sqs:CreateQueue", 781 "sqs:Delete*", 782 "sqs:GetQueue*", 783 "sqs:PurgeQueue", 784 "sqs:ReceiveMessage" 785 ] 786 }] 787 } 788 EOT 789 } 790 791 # IAM Role for EC2 Instance Profile 792 resource "aws_iam_role" "iam_emr_profile_role" { 793 name = "iam_emr_profile_role_%d" 794 795 assume_role_policy = <<EOT 796 { 797 "Version": "2008-10-17", 798 "Statement": [ 799 { 800 "Sid": "", 801 "Effect": "Allow", 802 "Principal": { 803 "Service": "ec2.amazonaws.com" 804 }, 805 "Action": "sts:AssumeRole" 806 } 807 ] 808 } 809 EOT 810 } 811 812 resource "aws_iam_instance_profile" "emr_profile" { 813 name = "emr_profile_%d" 814 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 815 } 816 817 resource "aws_iam_role_policy_attachment" "profile-attach" { 818 role = "${aws_iam_role.iam_emr_profile_role.id}" 819 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 820 } 821 822 resource "aws_iam_policy" "iam_emr_profile_policy" { 823 name = "iam_emr_profile_policy_%d" 824 825 policy = <<EOT 826 { 827 "Version": "2012-10-17", 828 "Statement": [{ 829 "Effect": "Allow", 830 "Resource": "*", 831 "Action": [ 832 "cloudwatch:*", 833 "dynamodb:*", 834 "ec2:Describe*", 835 "elasticmapreduce:Describe*", 836 "elasticmapreduce:ListBootstrapActions", 837 "elasticmapreduce:ListClusters", 838 "elasticmapreduce:ListInstanceGroups", 839 "elasticmapreduce:ListInstances", 840 "elasticmapreduce:ListSteps", 841 "kinesis:CreateStream", 842 "kinesis:DeleteStream", 843 "kinesis:DescribeStream", 844 "kinesis:GetRecords", 845 "kinesis:GetShardIterator", 846 "kinesis:MergeShards", 847 "kinesis:PutRecord", 848 "kinesis:SplitShard", 849 "rds:Describe*", 850 "s3:*", 851 "sdb:*", 852 "sns:*", 853 "sqs:*" 854 ] 855 }] 856 } 857 EOT 858 } 859 860 # IAM Role for autoscaling 861 resource "aws_iam_role" "emr-autoscaling-role" { 862 name = "EMR_AutoScaling_DefaultRole_%d" 863 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 864 } 865 866 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 867 statement { 868 effect = "Allow" 869 actions = ["sts:AssumeRole"] 870 principals = { 871 type = "Service" 872 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 873 } 874 } 875 } 876 877 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 878 role = "${aws_iam_role.emr-autoscaling-role.name}" 879 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 880 } 881 `, r, r, r, r, r, r, r, r, r, r) 882 } 883 884 func testAccAWSEmrClusterConfigTerminationPolicyUpdated(r int) string { 885 return fmt.Sprintf(` 886 provider "aws" { 887 region = "us-west-2" 888 } 889 890 resource "aws_emr_cluster" "tf-test-cluster" { 891 name = "emr-test-%d" 892 release_label = "emr-4.6.0" 893 applications = ["Spark"] 894 895 ec2_attributes { 896 subnet_id = "${aws_subnet.main.id}" 897 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 898 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 899 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 900 } 901 902 master_instance_type = "m3.xlarge" 903 core_instance_type = "m3.xlarge" 904 core_instance_count = 1 905 906 tags { 907 role = "rolename" 908 dns_zone = "env_zone" 909 env = "env" 910 name = "name-env" 911 } 912 913 keep_job_flow_alive_when_no_steps = true 914 termination_protection = true 915 916 bootstrap_action { 917 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 918 name = "runif" 919 args = ["instance.isMaster=true", "echo running on master node"] 920 } 921 922 configurations = "test-fixtures/emr_configurations.json" 923 924 depends_on = ["aws_main_route_table_association.a"] 925 926 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 927 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 928 } 929 930 resource "aws_security_group" "allow_all" { 931 name = "allow_all_%d" 932 description = "Allow all inbound traffic" 933 vpc_id = "${aws_vpc.main.id}" 934 935 ingress { 936 from_port = 0 937 to_port = 0 938 protocol = "-1" 939 cidr_blocks = ["0.0.0.0/0"] 940 } 941 942 egress { 943 from_port = 0 944 to_port = 0 945 protocol = "-1" 946 cidr_blocks = ["0.0.0.0/0"] 947 } 948 949 depends_on = ["aws_subnet.main"] 950 951 lifecycle { 952 ignore_changes = ["ingress", "egress"] 953 } 954 955 tags { 956 name = "emr_test" 957 } 958 } 959 960 resource "aws_vpc" "main" { 961 cidr_block = "168.31.0.0/16" 962 enable_dns_hostnames = true 963 964 tags { 965 name = "emr_test_%d" 966 } 967 } 968 969 resource "aws_subnet" "main" { 970 vpc_id = "${aws_vpc.main.id}" 971 cidr_block = "168.31.0.0/20" 972 973 tags { 974 name = "emr_test_%d" 975 } 976 } 977 978 resource "aws_internet_gateway" "gw" { 979 vpc_id = "${aws_vpc.main.id}" 980 } 981 982 resource "aws_route_table" "r" { 983 vpc_id = "${aws_vpc.main.id}" 984 985 route { 986 cidr_block = "0.0.0.0/0" 987 gateway_id = "${aws_internet_gateway.gw.id}" 988 } 989 } 990 991 resource "aws_main_route_table_association" "a" { 992 vpc_id = "${aws_vpc.main.id}" 993 route_table_id = "${aws_route_table.r.id}" 994 } 995 996 ### 997 998 # IAM things 999 1000 ### 1001 1002 # IAM role for EMR Service 1003 resource "aws_iam_role" "iam_emr_default_role" { 1004 name = "iam_emr_default_role_%d" 1005 1006 assume_role_policy = <<EOT 1007 { 1008 "Version": "2008-10-17", 1009 "Statement": [ 1010 { 1011 "Sid": "", 1012 "Effect": "Allow", 1013 "Principal": { 1014 "Service": "elasticmapreduce.amazonaws.com" 1015 }, 1016 "Action": "sts:AssumeRole" 1017 } 1018 ] 1019 } 1020 EOT 1021 } 1022 1023 resource "aws_iam_role_policy_attachment" "service-attach" { 1024 role = "${aws_iam_role.iam_emr_default_role.id}" 1025 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1026 } 1027 1028 resource "aws_iam_policy" "iam_emr_default_policy" { 1029 name = "iam_emr_default_policy_%d" 1030 1031 policy = <<EOT 1032 { 1033 "Version": "2012-10-17", 1034 "Statement": [{ 1035 "Effect": "Allow", 1036 "Resource": "*", 1037 "Action": [ 1038 "ec2:AuthorizeSecurityGroupEgress", 1039 "ec2:AuthorizeSecurityGroupIngress", 1040 "ec2:CancelSpotInstanceRequests", 1041 "ec2:CreateNetworkInterface", 1042 "ec2:CreateSecurityGroup", 1043 "ec2:CreateTags", 1044 "ec2:DeleteNetworkInterface", 1045 "ec2:DeleteSecurityGroup", 1046 "ec2:DeleteTags", 1047 "ec2:DescribeAvailabilityZones", 1048 "ec2:DescribeAccountAttributes", 1049 "ec2:DescribeDhcpOptions", 1050 "ec2:DescribeInstanceStatus", 1051 "ec2:DescribeInstances", 1052 "ec2:DescribeKeyPairs", 1053 "ec2:DescribeNetworkAcls", 1054 "ec2:DescribeNetworkInterfaces", 1055 "ec2:DescribePrefixLists", 1056 "ec2:DescribeRouteTables", 1057 "ec2:DescribeSecurityGroups", 1058 "ec2:DescribeSpotInstanceRequests", 1059 "ec2:DescribeSpotPriceHistory", 1060 "ec2:DescribeSubnets", 1061 "ec2:DescribeVpcAttribute", 1062 "ec2:DescribeVpcEndpoints", 1063 "ec2:DescribeVpcEndpointServices", 1064 "ec2:DescribeVpcs", 1065 "ec2:DetachNetworkInterface", 1066 "ec2:ModifyImageAttribute", 1067 "ec2:ModifyInstanceAttribute", 1068 "ec2:RequestSpotInstances", 1069 "ec2:RevokeSecurityGroupEgress", 1070 "ec2:RunInstances", 1071 "ec2:TerminateInstances", 1072 "ec2:DeleteVolume", 1073 "ec2:DescribeVolumeStatus", 1074 "ec2:DescribeVolumes", 1075 "ec2:DetachVolume", 1076 "iam:GetRole", 1077 "iam:GetRolePolicy", 1078 "iam:ListInstanceProfiles", 1079 "iam:ListRolePolicies", 1080 "iam:PassRole", 1081 "s3:CreateBucket", 1082 "s3:Get*", 1083 "s3:List*", 1084 "sdb:BatchPutAttributes", 1085 "sdb:Select", 1086 "sqs:CreateQueue", 1087 "sqs:Delete*", 1088 "sqs:GetQueue*", 1089 "sqs:PurgeQueue", 1090 "sqs:ReceiveMessage" 1091 ] 1092 }] 1093 } 1094 EOT 1095 } 1096 1097 # IAM Role for EC2 Instance Profile 1098 resource "aws_iam_role" "iam_emr_profile_role" { 1099 name = "iam_emr_profile_role_%d" 1100 1101 assume_role_policy = <<EOT 1102 { 1103 "Version": "2008-10-17", 1104 "Statement": [ 1105 { 1106 "Sid": "", 1107 "Effect": "Allow", 1108 "Principal": { 1109 "Service": "ec2.amazonaws.com" 1110 }, 1111 "Action": "sts:AssumeRole" 1112 } 1113 ] 1114 } 1115 EOT 1116 } 1117 1118 resource "aws_iam_instance_profile" "emr_profile" { 1119 name = "emr_profile_%d" 1120 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1121 } 1122 1123 resource "aws_iam_role_policy_attachment" "profile-attach" { 1124 role = "${aws_iam_role.iam_emr_profile_role.id}" 1125 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1126 } 1127 1128 resource "aws_iam_policy" "iam_emr_profile_policy" { 1129 name = "iam_emr_profile_policy_%d" 1130 1131 policy = <<EOT 1132 { 1133 "Version": "2012-10-17", 1134 "Statement": [{ 1135 "Effect": "Allow", 1136 "Resource": "*", 1137 "Action": [ 1138 "cloudwatch:*", 1139 "dynamodb:*", 1140 "ec2:Describe*", 1141 "elasticmapreduce:Describe*", 1142 "elasticmapreduce:ListBootstrapActions", 1143 "elasticmapreduce:ListClusters", 1144 "elasticmapreduce:ListInstanceGroups", 1145 "elasticmapreduce:ListInstances", 1146 "elasticmapreduce:ListSteps", 1147 "kinesis:CreateStream", 1148 "kinesis:DeleteStream", 1149 "kinesis:DescribeStream", 1150 "kinesis:GetRecords", 1151 "kinesis:GetShardIterator", 1152 "kinesis:MergeShards", 1153 "kinesis:PutRecord", 1154 "kinesis:SplitShard", 1155 "rds:Describe*", 1156 "s3:*", 1157 "sdb:*", 1158 "sns:*", 1159 "sqs:*" 1160 ] 1161 }] 1162 } 1163 EOT 1164 } 1165 1166 # IAM Role for autoscaling 1167 resource "aws_iam_role" "emr-autoscaling-role" { 1168 name = "EMR_AutoScaling_DefaultRole_%d" 1169 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1170 } 1171 1172 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1173 statement { 1174 effect = "Allow" 1175 actions = ["sts:AssumeRole"] 1176 1177 principals = { 1178 type = "Service" 1179 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1180 } 1181 } 1182 } 1183 1184 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1185 role = "${aws_iam_role.emr-autoscaling-role.name}" 1186 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1187 } 1188 `, r, r, r, r, r, r, r, r, r, r) 1189 } 1190 1191 func testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r int) string { 1192 return fmt.Sprintf(` 1193 provider "aws" { 1194 region = "us-west-2" 1195 } 1196 1197 resource "aws_emr_cluster" "tf-test-cluster" { 1198 name = "emr-test-%d" 1199 release_label = "emr-4.6.0" 1200 applications = ["Spark"] 1201 1202 ec2_attributes { 1203 subnet_id = "${aws_subnet.main.id}" 1204 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1205 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1206 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1207 } 1208 1209 master_instance_type = "m3.xlarge" 1210 core_instance_type = "m3.xlarge" 1211 core_instance_count = 1 1212 1213 tags { 1214 role = "rolename" 1215 dns_zone = "env_zone" 1216 env = "env" 1217 name = "name-env" 1218 } 1219 1220 keep_job_flow_alive_when_no_steps = true 1221 visible_to_all_users = false 1222 1223 bootstrap_action { 1224 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1225 name = "runif" 1226 args = ["instance.isMaster=true", "echo running on master node"] 1227 } 1228 1229 configurations = "test-fixtures/emr_configurations.json" 1230 1231 depends_on = ["aws_main_route_table_association.a"] 1232 1233 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1234 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1235 } 1236 1237 resource "aws_security_group" "allow_all" { 1238 name = "allow_all_%d" 1239 description = "Allow all inbound traffic" 1240 vpc_id = "${aws_vpc.main.id}" 1241 1242 ingress { 1243 from_port = 0 1244 to_port = 0 1245 protocol = "-1" 1246 cidr_blocks = ["0.0.0.0/0"] 1247 } 1248 1249 egress { 1250 from_port = 0 1251 to_port = 0 1252 protocol = "-1" 1253 cidr_blocks = ["0.0.0.0/0"] 1254 } 1255 1256 depends_on = ["aws_subnet.main"] 1257 1258 lifecycle { 1259 ignore_changes = ["ingress", "egress"] 1260 } 1261 1262 tags { 1263 name = "emr_test" 1264 } 1265 } 1266 1267 resource "aws_vpc" "main" { 1268 cidr_block = "168.31.0.0/16" 1269 enable_dns_hostnames = true 1270 1271 tags { 1272 name = "emr_test_%d" 1273 } 1274 } 1275 1276 resource "aws_subnet" "main" { 1277 vpc_id = "${aws_vpc.main.id}" 1278 cidr_block = "168.31.0.0/20" 1279 1280 tags { 1281 name = "emr_test_%d" 1282 } 1283 } 1284 1285 resource "aws_internet_gateway" "gw" { 1286 vpc_id = "${aws_vpc.main.id}" 1287 } 1288 1289 resource "aws_route_table" "r" { 1290 vpc_id = "${aws_vpc.main.id}" 1291 1292 route { 1293 cidr_block = "0.0.0.0/0" 1294 gateway_id = "${aws_internet_gateway.gw.id}" 1295 } 1296 } 1297 1298 resource "aws_main_route_table_association" "a" { 1299 vpc_id = "${aws_vpc.main.id}" 1300 route_table_id = "${aws_route_table.r.id}" 1301 } 1302 1303 ### 1304 1305 # IAM things 1306 1307 ### 1308 1309 # IAM role for EMR Service 1310 resource "aws_iam_role" "iam_emr_default_role" { 1311 name = "iam_emr_default_role_%d" 1312 1313 assume_role_policy = <<EOT 1314 { 1315 "Version": "2008-10-17", 1316 "Statement": [ 1317 { 1318 "Sid": "", 1319 "Effect": "Allow", 1320 "Principal": { 1321 "Service": "elasticmapreduce.amazonaws.com" 1322 }, 1323 "Action": "sts:AssumeRole" 1324 } 1325 ] 1326 } 1327 EOT 1328 } 1329 1330 resource "aws_iam_role_policy_attachment" "service-attach" { 1331 role = "${aws_iam_role.iam_emr_default_role.id}" 1332 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1333 } 1334 1335 resource "aws_iam_policy" "iam_emr_default_policy" { 1336 name = "iam_emr_default_policy_%d" 1337 1338 policy = <<EOT 1339 { 1340 "Version": "2012-10-17", 1341 "Statement": [{ 1342 "Effect": "Allow", 1343 "Resource": "*", 1344 "Action": [ 1345 "ec2:AuthorizeSecurityGroupEgress", 1346 "ec2:AuthorizeSecurityGroupIngress", 1347 "ec2:CancelSpotInstanceRequests", 1348 "ec2:CreateNetworkInterface", 1349 "ec2:CreateSecurityGroup", 1350 "ec2:CreateTags", 1351 "ec2:DeleteNetworkInterface", 1352 "ec2:DeleteSecurityGroup", 1353 "ec2:DeleteTags", 1354 "ec2:DescribeAvailabilityZones", 1355 "ec2:DescribeAccountAttributes", 1356 "ec2:DescribeDhcpOptions", 1357 "ec2:DescribeInstanceStatus", 1358 "ec2:DescribeInstances", 1359 "ec2:DescribeKeyPairs", 1360 "ec2:DescribeNetworkAcls", 1361 "ec2:DescribeNetworkInterfaces", 1362 "ec2:DescribePrefixLists", 1363 "ec2:DescribeRouteTables", 1364 "ec2:DescribeSecurityGroups", 1365 "ec2:DescribeSpotInstanceRequests", 1366 "ec2:DescribeSpotPriceHistory", 1367 "ec2:DescribeSubnets", 1368 "ec2:DescribeVpcAttribute", 1369 "ec2:DescribeVpcEndpoints", 1370 "ec2:DescribeVpcEndpointServices", 1371 "ec2:DescribeVpcs", 1372 "ec2:DetachNetworkInterface", 1373 "ec2:ModifyImageAttribute", 1374 "ec2:ModifyInstanceAttribute", 1375 "ec2:RequestSpotInstances", 1376 "ec2:RevokeSecurityGroupEgress", 1377 "ec2:RunInstances", 1378 "ec2:TerminateInstances", 1379 "ec2:DeleteVolume", 1380 "ec2:DescribeVolumeStatus", 1381 "ec2:DescribeVolumes", 1382 "ec2:DetachVolume", 1383 "iam:GetRole", 1384 "iam:GetRolePolicy", 1385 "iam:ListInstanceProfiles", 1386 "iam:ListRolePolicies", 1387 "iam:PassRole", 1388 "s3:CreateBucket", 1389 "s3:Get*", 1390 "s3:List*", 1391 "sdb:BatchPutAttributes", 1392 "sdb:Select", 1393 "sqs:CreateQueue", 1394 "sqs:Delete*", 1395 "sqs:GetQueue*", 1396 "sqs:PurgeQueue", 1397 "sqs:ReceiveMessage" 1398 ] 1399 }] 1400 } 1401 EOT 1402 } 1403 1404 # IAM Role for EC2 Instance Profile 1405 resource "aws_iam_role" "iam_emr_profile_role" { 1406 name = "iam_emr_profile_role_%d" 1407 1408 assume_role_policy = <<EOT 1409 { 1410 "Version": "2008-10-17", 1411 "Statement": [ 1412 { 1413 "Sid": "", 1414 "Effect": "Allow", 1415 "Principal": { 1416 "Service": "ec2.amazonaws.com" 1417 }, 1418 "Action": "sts:AssumeRole" 1419 } 1420 ] 1421 } 1422 EOT 1423 } 1424 1425 resource "aws_iam_instance_profile" "emr_profile" { 1426 name = "emr_profile_%d" 1427 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1428 } 1429 1430 resource "aws_iam_role_policy_attachment" "profile-attach" { 1431 role = "${aws_iam_role.iam_emr_profile_role.id}" 1432 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1433 } 1434 1435 resource "aws_iam_policy" "iam_emr_profile_policy" { 1436 name = "iam_emr_profile_policy_%d" 1437 1438 policy = <<EOT 1439 { 1440 "Version": "2012-10-17", 1441 "Statement": [{ 1442 "Effect": "Allow", 1443 "Resource": "*", 1444 "Action": [ 1445 "cloudwatch:*", 1446 "dynamodb:*", 1447 "ec2:Describe*", 1448 "elasticmapreduce:Describe*", 1449 "elasticmapreduce:ListBootstrapActions", 1450 "elasticmapreduce:ListClusters", 1451 "elasticmapreduce:ListInstanceGroups", 1452 "elasticmapreduce:ListInstances", 1453 "elasticmapreduce:ListSteps", 1454 "kinesis:CreateStream", 1455 "kinesis:DeleteStream", 1456 "kinesis:DescribeStream", 1457 "kinesis:GetRecords", 1458 "kinesis:GetShardIterator", 1459 "kinesis:MergeShards", 1460 "kinesis:PutRecord", 1461 "kinesis:SplitShard", 1462 "rds:Describe*", 1463 "s3:*", 1464 "sdb:*", 1465 "sns:*", 1466 "sqs:*" 1467 ] 1468 }] 1469 } 1470 EOT 1471 } 1472 1473 # IAM Role for autoscaling 1474 resource "aws_iam_role" "emr-autoscaling-role" { 1475 name = "EMR_AutoScaling_DefaultRole_%d" 1476 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1477 } 1478 1479 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1480 statement { 1481 effect = "Allow" 1482 actions = ["sts:AssumeRole"] 1483 1484 principals = { 1485 type = "Service" 1486 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1487 } 1488 } 1489 } 1490 1491 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1492 role = "${aws_iam_role.emr-autoscaling-role.name}" 1493 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1494 } 1495 `, r, r, r, r, r, r, r, r, r, r) 1496 } 1497 1498 func testAccAWSEmrClusterConfigUpdatedTags(r int) string { 1499 return fmt.Sprintf(` 1500 provider "aws" { 1501 region = "us-west-2" 1502 } 1503 1504 resource "aws_emr_cluster" "tf-test-cluster" { 1505 name = "emr-test-%d" 1506 release_label = "emr-4.6.0" 1507 applications = ["Spark"] 1508 1509 ec2_attributes { 1510 subnet_id = "${aws_subnet.main.id}" 1511 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1512 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1513 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1514 } 1515 1516 master_instance_type = "m3.xlarge" 1517 core_instance_type = "m3.xlarge" 1518 core_instance_count = 1 1519 1520 tags { 1521 dns_zone = "new_zone" 1522 Env = "production" 1523 name = "name-env" 1524 } 1525 1526 keep_job_flow_alive_when_no_steps = true 1527 termination_protection = false 1528 1529 bootstrap_action { 1530 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1531 name = "runif" 1532 args = ["instance.isMaster=true", "echo running on master node"] 1533 } 1534 1535 configurations = "test-fixtures/emr_configurations.json" 1536 1537 depends_on = ["aws_main_route_table_association.a"] 1538 1539 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1540 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1541 } 1542 1543 resource "aws_security_group" "allow_all" { 1544 name = "allow_all_%d" 1545 description = "Allow all inbound traffic" 1546 vpc_id = "${aws_vpc.main.id}" 1547 1548 ingress { 1549 from_port = 0 1550 to_port = 0 1551 protocol = "-1" 1552 cidr_blocks = ["0.0.0.0/0"] 1553 } 1554 1555 egress { 1556 from_port = 0 1557 to_port = 0 1558 protocol = "-1" 1559 cidr_blocks = ["0.0.0.0/0"] 1560 } 1561 1562 depends_on = ["aws_subnet.main"] 1563 1564 lifecycle { 1565 ignore_changes = ["ingress", "egress"] 1566 } 1567 1568 tags { 1569 name = "emr_test" 1570 } 1571 } 1572 1573 resource "aws_vpc" "main" { 1574 cidr_block = "168.31.0.0/16" 1575 enable_dns_hostnames = true 1576 1577 tags { 1578 name = "emr_test_%d" 1579 } 1580 } 1581 1582 resource "aws_subnet" "main" { 1583 vpc_id = "${aws_vpc.main.id}" 1584 cidr_block = "168.31.0.0/20" 1585 1586 tags { 1587 name = "emr_test_%d" 1588 } 1589 } 1590 1591 resource "aws_internet_gateway" "gw" { 1592 vpc_id = "${aws_vpc.main.id}" 1593 } 1594 1595 resource "aws_route_table" "r" { 1596 vpc_id = "${aws_vpc.main.id}" 1597 1598 route { 1599 cidr_block = "0.0.0.0/0" 1600 gateway_id = "${aws_internet_gateway.gw.id}" 1601 } 1602 } 1603 1604 resource "aws_main_route_table_association" "a" { 1605 vpc_id = "${aws_vpc.main.id}" 1606 route_table_id = "${aws_route_table.r.id}" 1607 } 1608 1609 ### 1610 1611 # IAM things 1612 1613 ### 1614 1615 # IAM role for EMR Service 1616 resource "aws_iam_role" "iam_emr_default_role" { 1617 name = "iam_emr_default_role_%d" 1618 1619 assume_role_policy = <<EOT 1620 { 1621 "Version": "2008-10-17", 1622 "Statement": [ 1623 { 1624 "Sid": "", 1625 "Effect": "Allow", 1626 "Principal": { 1627 "Service": "elasticmapreduce.amazonaws.com" 1628 }, 1629 "Action": "sts:AssumeRole" 1630 } 1631 ] 1632 } 1633 EOT 1634 } 1635 1636 resource "aws_iam_role_policy_attachment" "service-attach" { 1637 role = "${aws_iam_role.iam_emr_default_role.id}" 1638 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1639 } 1640 1641 resource "aws_iam_policy" "iam_emr_default_policy" { 1642 name = "iam_emr_default_policy_%d" 1643 1644 policy = <<EOT 1645 { 1646 "Version": "2012-10-17", 1647 "Statement": [{ 1648 "Effect": "Allow", 1649 "Resource": "*", 1650 "Action": [ 1651 "ec2:AuthorizeSecurityGroupEgress", 1652 "ec2:AuthorizeSecurityGroupIngress", 1653 "ec2:CancelSpotInstanceRequests", 1654 "ec2:CreateNetworkInterface", 1655 "ec2:CreateSecurityGroup", 1656 "ec2:CreateTags", 1657 "ec2:DeleteNetworkInterface", 1658 "ec2:DeleteSecurityGroup", 1659 "ec2:DeleteTags", 1660 "ec2:DescribeAvailabilityZones", 1661 "ec2:DescribeAccountAttributes", 1662 "ec2:DescribeDhcpOptions", 1663 "ec2:DescribeInstanceStatus", 1664 "ec2:DescribeInstances", 1665 "ec2:DescribeKeyPairs", 1666 "ec2:DescribeNetworkAcls", 1667 "ec2:DescribeNetworkInterfaces", 1668 "ec2:DescribePrefixLists", 1669 "ec2:DescribeRouteTables", 1670 "ec2:DescribeSecurityGroups", 1671 "ec2:DescribeSpotInstanceRequests", 1672 "ec2:DescribeSpotPriceHistory", 1673 "ec2:DescribeSubnets", 1674 "ec2:DescribeVpcAttribute", 1675 "ec2:DescribeVpcEndpoints", 1676 "ec2:DescribeVpcEndpointServices", 1677 "ec2:DescribeVpcs", 1678 "ec2:DetachNetworkInterface", 1679 "ec2:ModifyImageAttribute", 1680 "ec2:ModifyInstanceAttribute", 1681 "ec2:RequestSpotInstances", 1682 "ec2:RevokeSecurityGroupEgress", 1683 "ec2:RunInstances", 1684 "ec2:TerminateInstances", 1685 "ec2:DeleteVolume", 1686 "ec2:DescribeVolumeStatus", 1687 "ec2:DescribeVolumes", 1688 "ec2:DetachVolume", 1689 "iam:GetRole", 1690 "iam:GetRolePolicy", 1691 "iam:ListInstanceProfiles", 1692 "iam:ListRolePolicies", 1693 "iam:PassRole", 1694 "s3:CreateBucket", 1695 "s3:Get*", 1696 "s3:List*", 1697 "sdb:BatchPutAttributes", 1698 "sdb:Select", 1699 "sqs:CreateQueue", 1700 "sqs:Delete*", 1701 "sqs:GetQueue*", 1702 "sqs:PurgeQueue", 1703 "sqs:ReceiveMessage" 1704 ] 1705 }] 1706 } 1707 EOT 1708 } 1709 1710 # IAM Role for EC2 Instance Profile 1711 resource "aws_iam_role" "iam_emr_profile_role" { 1712 name = "iam_emr_profile_role_%d" 1713 1714 assume_role_policy = <<EOT 1715 { 1716 "Version": "2008-10-17", 1717 "Statement": [ 1718 { 1719 "Sid": "", 1720 "Effect": "Allow", 1721 "Principal": { 1722 "Service": "ec2.amazonaws.com" 1723 }, 1724 "Action": "sts:AssumeRole" 1725 } 1726 ] 1727 } 1728 EOT 1729 } 1730 1731 resource "aws_iam_instance_profile" "emr_profile" { 1732 name = "emr_profile_%d" 1733 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1734 } 1735 1736 resource "aws_iam_role_policy_attachment" "profile-attach" { 1737 role = "${aws_iam_role.iam_emr_profile_role.id}" 1738 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1739 } 1740 1741 resource "aws_iam_policy" "iam_emr_profile_policy" { 1742 name = "iam_emr_profile_policy_%d" 1743 1744 policy = <<EOT 1745 { 1746 "Version": "2012-10-17", 1747 "Statement": [{ 1748 "Effect": "Allow", 1749 "Resource": "*", 1750 "Action": [ 1751 "cloudwatch:*", 1752 "dynamodb:*", 1753 "ec2:Describe*", 1754 "elasticmapreduce:Describe*", 1755 "elasticmapreduce:ListBootstrapActions", 1756 "elasticmapreduce:ListClusters", 1757 "elasticmapreduce:ListInstanceGroups", 1758 "elasticmapreduce:ListInstances", 1759 "elasticmapreduce:ListSteps", 1760 "kinesis:CreateStream", 1761 "kinesis:DeleteStream", 1762 "kinesis:DescribeStream", 1763 "kinesis:GetRecords", 1764 "kinesis:GetShardIterator", 1765 "kinesis:MergeShards", 1766 "kinesis:PutRecord", 1767 "kinesis:SplitShard", 1768 "rds:Describe*", 1769 "s3:*", 1770 "sdb:*", 1771 "sns:*", 1772 "sqs:*" 1773 ] 1774 }] 1775 } 1776 EOT 1777 } 1778 1779 # IAM Role for autoscaling 1780 resource "aws_iam_role" "emr-autoscaling-role" { 1781 name = "EMR_AutoScaling_DefaultRole_%d" 1782 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1783 } 1784 1785 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1786 statement { 1787 effect = "Allow" 1788 actions = ["sts:AssumeRole"] 1789 1790 principals = { 1791 type = "Service" 1792 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1793 } 1794 } 1795 } 1796 1797 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1798 role = "${aws_iam_role.emr-autoscaling-role.name}" 1799 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1800 } 1801 `, r, r, r, r, r, r, r, r, r, r) 1802 }