github.com/dougneal/terraform@v0.6.15-0.20170330092735-b6a3840768a4/builtin/providers/aws/resource_aws_emr_cluster_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "log" 6 "testing" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/aws/awserr" 10 "github.com/aws/aws-sdk-go/service/emr" 11 "github.com/hashicorp/terraform/helper/acctest" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSEMRCluster_basic(t *testing.T) { 17 var jobFlow emr.RunJobFlowOutput 18 r := acctest.RandInt() 19 resource.Test(t, resource.TestCase{ 20 PreCheck: func() { testAccPreCheck(t) }, 21 Providers: testAccProviders, 22 CheckDestroy: testAccCheckAWSEmrDestroy, 23 Steps: []resource.TestStep{ 24 { 25 Config: testAccAWSEmrClusterConfig(r), 26 Check: testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 27 }, 28 }, 29 }) 30 } 31 32 func TestAccAWSEMRCluster_terminationProtected(t *testing.T) { 33 var jobFlow emr.RunJobFlowOutput 34 r := acctest.RandInt() 35 resource.Test(t, resource.TestCase{ 36 PreCheck: func() { testAccPreCheck(t) }, 37 Providers: testAccProviders, 38 CheckDestroy: testAccCheckAWSEmrDestroy, 39 Steps: []resource.TestStep{ 40 { 41 Config: testAccAWSEmrClusterConfig(r), 42 Check: resource.ComposeTestCheckFunc( 43 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 44 resource.TestCheckResourceAttr( 45 "aws_emr_cluster.tf-test-cluster", "termination_protection", "false"), 46 ), 47 }, 48 { 49 Config: testAccAWSEmrClusterConfigTerminationPolicyUpdated(r), 50 Check: resource.ComposeTestCheckFunc( 51 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 52 resource.TestCheckResourceAttr( 53 "aws_emr_cluster.tf-test-cluster", "termination_protection", "true"), 54 ), 55 }, 56 { 57 //Need to turn off termination_protection to allow the job to be deleted 58 Config: testAccAWSEmrClusterConfig(r), 59 Check: resource.ComposeTestCheckFunc( 60 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 61 ), 62 }, 63 }, 64 }) 65 } 66 67 func TestAccAWSEMRCluster_visibleToAllUsers(t *testing.T) { 68 var jobFlow emr.RunJobFlowOutput 69 r := acctest.RandInt() 70 resource.Test(t, resource.TestCase{ 71 PreCheck: func() { testAccPreCheck(t) }, 72 Providers: testAccProviders, 73 CheckDestroy: testAccCheckAWSEmrDestroy, 74 Steps: []resource.TestStep{ 75 { 76 Config: testAccAWSEmrClusterConfig(r), 77 Check: resource.ComposeTestCheckFunc( 78 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 79 resource.TestCheckResourceAttr( 80 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "true"), 81 ), 82 }, 83 { 84 Config: testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r), 85 Check: resource.ComposeTestCheckFunc( 86 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 87 resource.TestCheckResourceAttr( 88 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "false"), 89 ), 90 }, 91 }, 92 }) 93 } 94 95 func TestAccAWSEMRCluster_tags(t *testing.T) { 96 var jobFlow emr.RunJobFlowOutput 97 r := acctest.RandInt() 98 resource.Test(t, resource.TestCase{ 99 PreCheck: func() { testAccPreCheck(t) }, 100 Providers: testAccProviders, 101 CheckDestroy: testAccCheckAWSEmrDestroy, 102 Steps: []resource.TestStep{ 103 { 104 Config: testAccAWSEmrClusterConfig(r), 105 Check: resource.ComposeTestCheckFunc( 106 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 107 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "4"), 108 resource.TestCheckResourceAttr( 109 "aws_emr_cluster.tf-test-cluster", "tags.role", "rolename"), 110 resource.TestCheckResourceAttr( 111 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "env_zone"), 112 resource.TestCheckResourceAttr( 113 "aws_emr_cluster.tf-test-cluster", "tags.env", "env"), 114 resource.TestCheckResourceAttr( 115 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env")), 116 }, 117 { 118 Config: testAccAWSEmrClusterConfigUpdatedTags(r), 119 Check: resource.ComposeTestCheckFunc( 120 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 121 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "3"), 122 resource.TestCheckResourceAttr( 123 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "new_zone"), 124 resource.TestCheckResourceAttr( 125 "aws_emr_cluster.tf-test-cluster", "tags.Env", "production"), 126 resource.TestCheckResourceAttr( 127 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env"), 128 ), 129 }, 130 }, 131 }) 132 } 133 134 func testAccCheckAWSEmrDestroy(s *terraform.State) error { 135 conn := testAccProvider.Meta().(*AWSClient).emrconn 136 137 for _, rs := range s.RootModule().Resources { 138 if rs.Type != "aws_emr_cluster" { 139 continue 140 } 141 142 params := &emr.DescribeClusterInput{ 143 ClusterId: aws.String(rs.Primary.ID), 144 } 145 146 describe, err := conn.DescribeCluster(params) 147 148 if err == nil { 149 if describe.Cluster != nil && 150 *describe.Cluster.Status.State == "WAITING" { 151 return fmt.Errorf("EMR Cluster still exists") 152 } 153 } 154 155 providerErr, ok := err.(awserr.Error) 156 if !ok { 157 return err 158 } 159 160 log.Printf("[ERROR] %v", providerErr) 161 } 162 163 return nil 164 } 165 166 func testAccCheckAWSEmrClusterExists(n string, v *emr.RunJobFlowOutput) resource.TestCheckFunc { 167 return func(s *terraform.State) error { 168 rs, ok := s.RootModule().Resources[n] 169 if !ok { 170 return fmt.Errorf("Not found: %s", n) 171 } 172 if rs.Primary.ID == "" { 173 return fmt.Errorf("No cluster id set") 174 } 175 conn := testAccProvider.Meta().(*AWSClient).emrconn 176 describe, err := conn.DescribeCluster(&emr.DescribeClusterInput{ 177 ClusterId: aws.String(rs.Primary.ID), 178 }) 179 if err != nil { 180 return fmt.Errorf("EMR error: %v", err) 181 } 182 183 if describe.Cluster != nil && 184 *describe.Cluster.Id != rs.Primary.ID { 185 return fmt.Errorf("EMR cluser not found") 186 } 187 188 if describe.Cluster != nil && 189 *describe.Cluster.Status.State != "WAITING" { 190 return fmt.Errorf("EMR cluser is not up yet") 191 } 192 193 return nil 194 } 195 } 196 197 func testAccAWSEmrClusterConfig(r int) string { 198 return fmt.Sprintf(` 199 provider "aws" { 200 region = "us-west-2" 201 } 202 203 resource "aws_emr_cluster" "tf-test-cluster" { 204 name = "emr-test-%d" 205 release_label = "emr-4.6.0" 206 applications = ["Spark"] 207 208 ec2_attributes { 209 subnet_id = "${aws_subnet.main.id}" 210 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 211 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 212 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 213 } 214 215 master_instance_type = "m3.xlarge" 216 core_instance_type = "m3.xlarge" 217 core_instance_count = 1 218 219 tags { 220 role = "rolename" 221 dns_zone = "env_zone" 222 env = "env" 223 name = "name-env" 224 } 225 226 keep_job_flow_alive_when_no_steps = true 227 termination_protection = false 228 229 bootstrap_action { 230 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 231 name = "runif" 232 args = ["instance.isMaster=true", "echo running on master node"] 233 } 234 235 configurations = "test-fixtures/emr_configurations.json" 236 237 depends_on = ["aws_main_route_table_association.a"] 238 239 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 240 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 241 } 242 243 resource "aws_security_group" "allow_all" { 244 name = "allow_all" 245 description = "Allow all inbound traffic" 246 vpc_id = "${aws_vpc.main.id}" 247 248 ingress { 249 from_port = 0 250 to_port = 0 251 protocol = "-1" 252 cidr_blocks = ["0.0.0.0/0"] 253 } 254 255 egress { 256 from_port = 0 257 to_port = 0 258 protocol = "-1" 259 cidr_blocks = ["0.0.0.0/0"] 260 } 261 262 depends_on = ["aws_subnet.main"] 263 264 lifecycle { 265 ignore_changes = ["ingress", "egress"] 266 } 267 268 tags { 269 name = "emr_test" 270 } 271 } 272 273 resource "aws_vpc" "main" { 274 cidr_block = "168.31.0.0/16" 275 enable_dns_hostnames = true 276 277 tags { 278 name = "emr_test" 279 } 280 } 281 282 resource "aws_subnet" "main" { 283 vpc_id = "${aws_vpc.main.id}" 284 cidr_block = "168.31.0.0/20" 285 286 tags { 287 name = "emr_test" 288 } 289 } 290 291 resource "aws_internet_gateway" "gw" { 292 vpc_id = "${aws_vpc.main.id}" 293 } 294 295 resource "aws_route_table" "r" { 296 vpc_id = "${aws_vpc.main.id}" 297 298 route { 299 cidr_block = "0.0.0.0/0" 300 gateway_id = "${aws_internet_gateway.gw.id}" 301 } 302 } 303 304 resource "aws_main_route_table_association" "a" { 305 vpc_id = "${aws_vpc.main.id}" 306 route_table_id = "${aws_route_table.r.id}" 307 } 308 309 ### 310 311 # IAM things 312 313 ### 314 315 # IAM role for EMR Service 316 resource "aws_iam_role" "iam_emr_default_role" { 317 name = "iam_emr_default_role_%d" 318 319 assume_role_policy = <<EOT 320 { 321 "Version": "2008-10-17", 322 "Statement": [ 323 { 324 "Sid": "", 325 "Effect": "Allow", 326 "Principal": { 327 "Service": "elasticmapreduce.amazonaws.com" 328 }, 329 "Action": "sts:AssumeRole" 330 } 331 ] 332 } 333 EOT 334 } 335 336 resource "aws_iam_role_policy_attachment" "service-attach" { 337 role = "${aws_iam_role.iam_emr_default_role.id}" 338 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 339 } 340 341 resource "aws_iam_policy" "iam_emr_default_policy" { 342 name = "iam_emr_default_policy_%d" 343 344 policy = <<EOT 345 { 346 "Version": "2012-10-17", 347 "Statement": [{ 348 "Effect": "Allow", 349 "Resource": "*", 350 "Action": [ 351 "ec2:AuthorizeSecurityGroupEgress", 352 "ec2:AuthorizeSecurityGroupIngress", 353 "ec2:CancelSpotInstanceRequests", 354 "ec2:CreateNetworkInterface", 355 "ec2:CreateSecurityGroup", 356 "ec2:CreateTags", 357 "ec2:DeleteNetworkInterface", 358 "ec2:DeleteSecurityGroup", 359 "ec2:DeleteTags", 360 "ec2:DescribeAvailabilityZones", 361 "ec2:DescribeAccountAttributes", 362 "ec2:DescribeDhcpOptions", 363 "ec2:DescribeInstanceStatus", 364 "ec2:DescribeInstances", 365 "ec2:DescribeKeyPairs", 366 "ec2:DescribeNetworkAcls", 367 "ec2:DescribeNetworkInterfaces", 368 "ec2:DescribePrefixLists", 369 "ec2:DescribeRouteTables", 370 "ec2:DescribeSecurityGroups", 371 "ec2:DescribeSpotInstanceRequests", 372 "ec2:DescribeSpotPriceHistory", 373 "ec2:DescribeSubnets", 374 "ec2:DescribeVpcAttribute", 375 "ec2:DescribeVpcEndpoints", 376 "ec2:DescribeVpcEndpointServices", 377 "ec2:DescribeVpcs", 378 "ec2:DetachNetworkInterface", 379 "ec2:ModifyImageAttribute", 380 "ec2:ModifyInstanceAttribute", 381 "ec2:RequestSpotInstances", 382 "ec2:RevokeSecurityGroupEgress", 383 "ec2:RunInstances", 384 "ec2:TerminateInstances", 385 "ec2:DeleteVolume", 386 "ec2:DescribeVolumeStatus", 387 "ec2:DescribeVolumes", 388 "ec2:DetachVolume", 389 "iam:GetRole", 390 "iam:GetRolePolicy", 391 "iam:ListInstanceProfiles", 392 "iam:ListRolePolicies", 393 "iam:PassRole", 394 "s3:CreateBucket", 395 "s3:Get*", 396 "s3:List*", 397 "sdb:BatchPutAttributes", 398 "sdb:Select", 399 "sqs:CreateQueue", 400 "sqs:Delete*", 401 "sqs:GetQueue*", 402 "sqs:PurgeQueue", 403 "sqs:ReceiveMessage" 404 ] 405 }] 406 } 407 EOT 408 } 409 410 # IAM Role for EC2 Instance Profile 411 resource "aws_iam_role" "iam_emr_profile_role" { 412 name = "iam_emr_profile_role_%d" 413 414 assume_role_policy = <<EOT 415 { 416 "Version": "2008-10-17", 417 "Statement": [ 418 { 419 "Sid": "", 420 "Effect": "Allow", 421 "Principal": { 422 "Service": "ec2.amazonaws.com" 423 }, 424 "Action": "sts:AssumeRole" 425 } 426 ] 427 } 428 EOT 429 } 430 431 resource "aws_iam_instance_profile" "emr_profile" { 432 name = "emr_profile_%d" 433 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 434 } 435 436 resource "aws_iam_role_policy_attachment" "profile-attach" { 437 role = "${aws_iam_role.iam_emr_profile_role.id}" 438 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 439 } 440 441 resource "aws_iam_policy" "iam_emr_profile_policy" { 442 name = "iam_emr_profile_policy_%d" 443 444 policy = <<EOT 445 { 446 "Version": "2012-10-17", 447 "Statement": [{ 448 "Effect": "Allow", 449 "Resource": "*", 450 "Action": [ 451 "cloudwatch:*", 452 "dynamodb:*", 453 "ec2:Describe*", 454 "elasticmapreduce:Describe*", 455 "elasticmapreduce:ListBootstrapActions", 456 "elasticmapreduce:ListClusters", 457 "elasticmapreduce:ListInstanceGroups", 458 "elasticmapreduce:ListInstances", 459 "elasticmapreduce:ListSteps", 460 "kinesis:CreateStream", 461 "kinesis:DeleteStream", 462 "kinesis:DescribeStream", 463 "kinesis:GetRecords", 464 "kinesis:GetShardIterator", 465 "kinesis:MergeShards", 466 "kinesis:PutRecord", 467 "kinesis:SplitShard", 468 "rds:Describe*", 469 "s3:*", 470 "sdb:*", 471 "sns:*", 472 "sqs:*" 473 ] 474 }] 475 } 476 EOT 477 } 478 479 # IAM Role for autoscaling 480 resource "aws_iam_role" "emr-autoscaling-role" { 481 name = "EMR_AutoScaling_DefaultRole" 482 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 483 } 484 485 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 486 statement { 487 effect = "Allow" 488 actions = ["sts:AssumeRole"] 489 490 principals = { 491 type = "Service" 492 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 493 } 494 } 495 } 496 497 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 498 role = "${aws_iam_role.emr-autoscaling-role.name}" 499 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 500 } 501 `, r, r, r, r, r, r) 502 } 503 504 func testAccAWSEmrClusterConfigTerminationPolicyUpdated(r int) string { 505 return fmt.Sprintf(` 506 provider "aws" { 507 region = "us-west-2" 508 } 509 510 resource "aws_emr_cluster" "tf-test-cluster" { 511 name = "emr-test-%d" 512 release_label = "emr-4.6.0" 513 applications = ["Spark"] 514 515 ec2_attributes { 516 subnet_id = "${aws_subnet.main.id}" 517 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 518 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 519 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 520 } 521 522 master_instance_type = "m3.xlarge" 523 core_instance_type = "m3.xlarge" 524 core_instance_count = 1 525 526 tags { 527 role = "rolename" 528 dns_zone = "env_zone" 529 env = "env" 530 name = "name-env" 531 } 532 533 keep_job_flow_alive_when_no_steps = true 534 termination_protection = true 535 536 bootstrap_action { 537 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 538 name = "runif" 539 args = ["instance.isMaster=true", "echo running on master node"] 540 } 541 542 configurations = "test-fixtures/emr_configurations.json" 543 544 depends_on = ["aws_main_route_table_association.a"] 545 546 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 547 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 548 } 549 550 resource "aws_security_group" "allow_all" { 551 name = "allow_all" 552 description = "Allow all inbound traffic" 553 vpc_id = "${aws_vpc.main.id}" 554 555 ingress { 556 from_port = 0 557 to_port = 0 558 protocol = "-1" 559 cidr_blocks = ["0.0.0.0/0"] 560 } 561 562 egress { 563 from_port = 0 564 to_port = 0 565 protocol = "-1" 566 cidr_blocks = ["0.0.0.0/0"] 567 } 568 569 depends_on = ["aws_subnet.main"] 570 571 lifecycle { 572 ignore_changes = ["ingress", "egress"] 573 } 574 575 tags { 576 name = "emr_test" 577 } 578 } 579 580 resource "aws_vpc" "main" { 581 cidr_block = "168.31.0.0/16" 582 enable_dns_hostnames = true 583 584 tags { 585 name = "emr_test" 586 } 587 } 588 589 resource "aws_subnet" "main" { 590 vpc_id = "${aws_vpc.main.id}" 591 cidr_block = "168.31.0.0/20" 592 593 tags { 594 name = "emr_test" 595 } 596 } 597 598 resource "aws_internet_gateway" "gw" { 599 vpc_id = "${aws_vpc.main.id}" 600 } 601 602 resource "aws_route_table" "r" { 603 vpc_id = "${aws_vpc.main.id}" 604 605 route { 606 cidr_block = "0.0.0.0/0" 607 gateway_id = "${aws_internet_gateway.gw.id}" 608 } 609 } 610 611 resource "aws_main_route_table_association" "a" { 612 vpc_id = "${aws_vpc.main.id}" 613 route_table_id = "${aws_route_table.r.id}" 614 } 615 616 ### 617 618 # IAM things 619 620 ### 621 622 # IAM role for EMR Service 623 resource "aws_iam_role" "iam_emr_default_role" { 624 name = "iam_emr_default_role_%d" 625 626 assume_role_policy = <<EOT 627 { 628 "Version": "2008-10-17", 629 "Statement": [ 630 { 631 "Sid": "", 632 "Effect": "Allow", 633 "Principal": { 634 "Service": "elasticmapreduce.amazonaws.com" 635 }, 636 "Action": "sts:AssumeRole" 637 } 638 ] 639 } 640 EOT 641 } 642 643 resource "aws_iam_role_policy_attachment" "service-attach" { 644 role = "${aws_iam_role.iam_emr_default_role.id}" 645 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 646 } 647 648 resource "aws_iam_policy" "iam_emr_default_policy" { 649 name = "iam_emr_default_policy_%d" 650 651 policy = <<EOT 652 { 653 "Version": "2012-10-17", 654 "Statement": [{ 655 "Effect": "Allow", 656 "Resource": "*", 657 "Action": [ 658 "ec2:AuthorizeSecurityGroupEgress", 659 "ec2:AuthorizeSecurityGroupIngress", 660 "ec2:CancelSpotInstanceRequests", 661 "ec2:CreateNetworkInterface", 662 "ec2:CreateSecurityGroup", 663 "ec2:CreateTags", 664 "ec2:DeleteNetworkInterface", 665 "ec2:DeleteSecurityGroup", 666 "ec2:DeleteTags", 667 "ec2:DescribeAvailabilityZones", 668 "ec2:DescribeAccountAttributes", 669 "ec2:DescribeDhcpOptions", 670 "ec2:DescribeInstanceStatus", 671 "ec2:DescribeInstances", 672 "ec2:DescribeKeyPairs", 673 "ec2:DescribeNetworkAcls", 674 "ec2:DescribeNetworkInterfaces", 675 "ec2:DescribePrefixLists", 676 "ec2:DescribeRouteTables", 677 "ec2:DescribeSecurityGroups", 678 "ec2:DescribeSpotInstanceRequests", 679 "ec2:DescribeSpotPriceHistory", 680 "ec2:DescribeSubnets", 681 "ec2:DescribeVpcAttribute", 682 "ec2:DescribeVpcEndpoints", 683 "ec2:DescribeVpcEndpointServices", 684 "ec2:DescribeVpcs", 685 "ec2:DetachNetworkInterface", 686 "ec2:ModifyImageAttribute", 687 "ec2:ModifyInstanceAttribute", 688 "ec2:RequestSpotInstances", 689 "ec2:RevokeSecurityGroupEgress", 690 "ec2:RunInstances", 691 "ec2:TerminateInstances", 692 "ec2:DeleteVolume", 693 "ec2:DescribeVolumeStatus", 694 "ec2:DescribeVolumes", 695 "ec2:DetachVolume", 696 "iam:GetRole", 697 "iam:GetRolePolicy", 698 "iam:ListInstanceProfiles", 699 "iam:ListRolePolicies", 700 "iam:PassRole", 701 "s3:CreateBucket", 702 "s3:Get*", 703 "s3:List*", 704 "sdb:BatchPutAttributes", 705 "sdb:Select", 706 "sqs:CreateQueue", 707 "sqs:Delete*", 708 "sqs:GetQueue*", 709 "sqs:PurgeQueue", 710 "sqs:ReceiveMessage" 711 ] 712 }] 713 } 714 EOT 715 } 716 717 # IAM Role for EC2 Instance Profile 718 resource "aws_iam_role" "iam_emr_profile_role" { 719 name = "iam_emr_profile_role_%d" 720 721 assume_role_policy = <<EOT 722 { 723 "Version": "2008-10-17", 724 "Statement": [ 725 { 726 "Sid": "", 727 "Effect": "Allow", 728 "Principal": { 729 "Service": "ec2.amazonaws.com" 730 }, 731 "Action": "sts:AssumeRole" 732 } 733 ] 734 } 735 EOT 736 } 737 738 resource "aws_iam_instance_profile" "emr_profile" { 739 name = "emr_profile_%d" 740 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 741 } 742 743 resource "aws_iam_role_policy_attachment" "profile-attach" { 744 role = "${aws_iam_role.iam_emr_profile_role.id}" 745 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 746 } 747 748 resource "aws_iam_policy" "iam_emr_profile_policy" { 749 name = "iam_emr_profile_policy_%d" 750 751 policy = <<EOT 752 { 753 "Version": "2012-10-17", 754 "Statement": [{ 755 "Effect": "Allow", 756 "Resource": "*", 757 "Action": [ 758 "cloudwatch:*", 759 "dynamodb:*", 760 "ec2:Describe*", 761 "elasticmapreduce:Describe*", 762 "elasticmapreduce:ListBootstrapActions", 763 "elasticmapreduce:ListClusters", 764 "elasticmapreduce:ListInstanceGroups", 765 "elasticmapreduce:ListInstances", 766 "elasticmapreduce:ListSteps", 767 "kinesis:CreateStream", 768 "kinesis:DeleteStream", 769 "kinesis:DescribeStream", 770 "kinesis:GetRecords", 771 "kinesis:GetShardIterator", 772 "kinesis:MergeShards", 773 "kinesis:PutRecord", 774 "kinesis:SplitShard", 775 "rds:Describe*", 776 "s3:*", 777 "sdb:*", 778 "sns:*", 779 "sqs:*" 780 ] 781 }] 782 } 783 EOT 784 } 785 786 # IAM Role for autoscaling 787 resource "aws_iam_role" "emr-autoscaling-role" { 788 name = "EMR_AutoScaling_DefaultRole" 789 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 790 } 791 792 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 793 statement { 794 effect = "Allow" 795 actions = ["sts:AssumeRole"] 796 797 principals = { 798 type = "Service" 799 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 800 } 801 } 802 } 803 804 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 805 role = "${aws_iam_role.emr-autoscaling-role.name}" 806 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 807 } 808 `, r, r, r, r, r, r) 809 } 810 811 func testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r int) string { 812 return fmt.Sprintf(` 813 provider "aws" { 814 region = "us-west-2" 815 } 816 817 resource "aws_emr_cluster" "tf-test-cluster" { 818 name = "emr-test-%d" 819 release_label = "emr-4.6.0" 820 applications = ["Spark"] 821 822 ec2_attributes { 823 subnet_id = "${aws_subnet.main.id}" 824 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 825 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 826 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 827 } 828 829 master_instance_type = "m3.xlarge" 830 core_instance_type = "m3.xlarge" 831 core_instance_count = 1 832 833 tags { 834 role = "rolename" 835 dns_zone = "env_zone" 836 env = "env" 837 name = "name-env" 838 } 839 840 keep_job_flow_alive_when_no_steps = true 841 visible_to_all_users = false 842 843 bootstrap_action { 844 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 845 name = "runif" 846 args = ["instance.isMaster=true", "echo running on master node"] 847 } 848 849 configurations = "test-fixtures/emr_configurations.json" 850 851 depends_on = ["aws_main_route_table_association.a"] 852 853 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 854 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 855 } 856 857 resource "aws_security_group" "allow_all" { 858 name = "allow_all" 859 description = "Allow all inbound traffic" 860 vpc_id = "${aws_vpc.main.id}" 861 862 ingress { 863 from_port = 0 864 to_port = 0 865 protocol = "-1" 866 cidr_blocks = ["0.0.0.0/0"] 867 } 868 869 egress { 870 from_port = 0 871 to_port = 0 872 protocol = "-1" 873 cidr_blocks = ["0.0.0.0/0"] 874 } 875 876 depends_on = ["aws_subnet.main"] 877 878 lifecycle { 879 ignore_changes = ["ingress", "egress"] 880 } 881 882 tags { 883 name = "emr_test" 884 } 885 } 886 887 resource "aws_vpc" "main" { 888 cidr_block = "168.31.0.0/16" 889 enable_dns_hostnames = true 890 891 tags { 892 name = "emr_test" 893 } 894 } 895 896 resource "aws_subnet" "main" { 897 vpc_id = "${aws_vpc.main.id}" 898 cidr_block = "168.31.0.0/20" 899 900 tags { 901 name = "emr_test" 902 } 903 } 904 905 resource "aws_internet_gateway" "gw" { 906 vpc_id = "${aws_vpc.main.id}" 907 } 908 909 resource "aws_route_table" "r" { 910 vpc_id = "${aws_vpc.main.id}" 911 912 route { 913 cidr_block = "0.0.0.0/0" 914 gateway_id = "${aws_internet_gateway.gw.id}" 915 } 916 } 917 918 resource "aws_main_route_table_association" "a" { 919 vpc_id = "${aws_vpc.main.id}" 920 route_table_id = "${aws_route_table.r.id}" 921 } 922 923 ### 924 925 # IAM things 926 927 ### 928 929 # IAM role for EMR Service 930 resource "aws_iam_role" "iam_emr_default_role" { 931 name = "iam_emr_default_role_%d" 932 933 assume_role_policy = <<EOT 934 { 935 "Version": "2008-10-17", 936 "Statement": [ 937 { 938 "Sid": "", 939 "Effect": "Allow", 940 "Principal": { 941 "Service": "elasticmapreduce.amazonaws.com" 942 }, 943 "Action": "sts:AssumeRole" 944 } 945 ] 946 } 947 EOT 948 } 949 950 resource "aws_iam_role_policy_attachment" "service-attach" { 951 role = "${aws_iam_role.iam_emr_default_role.id}" 952 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 953 } 954 955 resource "aws_iam_policy" "iam_emr_default_policy" { 956 name = "iam_emr_default_policy_%d" 957 958 policy = <<EOT 959 { 960 "Version": "2012-10-17", 961 "Statement": [{ 962 "Effect": "Allow", 963 "Resource": "*", 964 "Action": [ 965 "ec2:AuthorizeSecurityGroupEgress", 966 "ec2:AuthorizeSecurityGroupIngress", 967 "ec2:CancelSpotInstanceRequests", 968 "ec2:CreateNetworkInterface", 969 "ec2:CreateSecurityGroup", 970 "ec2:CreateTags", 971 "ec2:DeleteNetworkInterface", 972 "ec2:DeleteSecurityGroup", 973 "ec2:DeleteTags", 974 "ec2:DescribeAvailabilityZones", 975 "ec2:DescribeAccountAttributes", 976 "ec2:DescribeDhcpOptions", 977 "ec2:DescribeInstanceStatus", 978 "ec2:DescribeInstances", 979 "ec2:DescribeKeyPairs", 980 "ec2:DescribeNetworkAcls", 981 "ec2:DescribeNetworkInterfaces", 982 "ec2:DescribePrefixLists", 983 "ec2:DescribeRouteTables", 984 "ec2:DescribeSecurityGroups", 985 "ec2:DescribeSpotInstanceRequests", 986 "ec2:DescribeSpotPriceHistory", 987 "ec2:DescribeSubnets", 988 "ec2:DescribeVpcAttribute", 989 "ec2:DescribeVpcEndpoints", 990 "ec2:DescribeVpcEndpointServices", 991 "ec2:DescribeVpcs", 992 "ec2:DetachNetworkInterface", 993 "ec2:ModifyImageAttribute", 994 "ec2:ModifyInstanceAttribute", 995 "ec2:RequestSpotInstances", 996 "ec2:RevokeSecurityGroupEgress", 997 "ec2:RunInstances", 998 "ec2:TerminateInstances", 999 "ec2:DeleteVolume", 1000 "ec2:DescribeVolumeStatus", 1001 "ec2:DescribeVolumes", 1002 "ec2:DetachVolume", 1003 "iam:GetRole", 1004 "iam:GetRolePolicy", 1005 "iam:ListInstanceProfiles", 1006 "iam:ListRolePolicies", 1007 "iam:PassRole", 1008 "s3:CreateBucket", 1009 "s3:Get*", 1010 "s3:List*", 1011 "sdb:BatchPutAttributes", 1012 "sdb:Select", 1013 "sqs:CreateQueue", 1014 "sqs:Delete*", 1015 "sqs:GetQueue*", 1016 "sqs:PurgeQueue", 1017 "sqs:ReceiveMessage" 1018 ] 1019 }] 1020 } 1021 EOT 1022 } 1023 1024 # IAM Role for EC2 Instance Profile 1025 resource "aws_iam_role" "iam_emr_profile_role" { 1026 name = "iam_emr_profile_role_%d" 1027 1028 assume_role_policy = <<EOT 1029 { 1030 "Version": "2008-10-17", 1031 "Statement": [ 1032 { 1033 "Sid": "", 1034 "Effect": "Allow", 1035 "Principal": { 1036 "Service": "ec2.amazonaws.com" 1037 }, 1038 "Action": "sts:AssumeRole" 1039 } 1040 ] 1041 } 1042 EOT 1043 } 1044 1045 resource "aws_iam_instance_profile" "emr_profile" { 1046 name = "emr_profile_%d" 1047 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1048 } 1049 1050 resource "aws_iam_role_policy_attachment" "profile-attach" { 1051 role = "${aws_iam_role.iam_emr_profile_role.id}" 1052 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1053 } 1054 1055 resource "aws_iam_policy" "iam_emr_profile_policy" { 1056 name = "iam_emr_profile_policy_%d" 1057 1058 policy = <<EOT 1059 { 1060 "Version": "2012-10-17", 1061 "Statement": [{ 1062 "Effect": "Allow", 1063 "Resource": "*", 1064 "Action": [ 1065 "cloudwatch:*", 1066 "dynamodb:*", 1067 "ec2:Describe*", 1068 "elasticmapreduce:Describe*", 1069 "elasticmapreduce:ListBootstrapActions", 1070 "elasticmapreduce:ListClusters", 1071 "elasticmapreduce:ListInstanceGroups", 1072 "elasticmapreduce:ListInstances", 1073 "elasticmapreduce:ListSteps", 1074 "kinesis:CreateStream", 1075 "kinesis:DeleteStream", 1076 "kinesis:DescribeStream", 1077 "kinesis:GetRecords", 1078 "kinesis:GetShardIterator", 1079 "kinesis:MergeShards", 1080 "kinesis:PutRecord", 1081 "kinesis:SplitShard", 1082 "rds:Describe*", 1083 "s3:*", 1084 "sdb:*", 1085 "sns:*", 1086 "sqs:*" 1087 ] 1088 }] 1089 } 1090 EOT 1091 } 1092 1093 # IAM Role for autoscaling 1094 resource "aws_iam_role" "emr-autoscaling-role" { 1095 name = "EMR_AutoScaling_DefaultRole" 1096 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1097 } 1098 1099 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1100 statement { 1101 effect = "Allow" 1102 actions = ["sts:AssumeRole"] 1103 1104 principals = { 1105 type = "Service" 1106 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1107 } 1108 } 1109 } 1110 1111 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1112 role = "${aws_iam_role.emr-autoscaling-role.name}" 1113 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1114 } 1115 `, r, r, r, r, r, r) 1116 } 1117 1118 func testAccAWSEmrClusterConfigUpdatedTags(r int) string { 1119 return fmt.Sprintf(` 1120 provider "aws" { 1121 region = "us-west-2" 1122 } 1123 1124 resource "aws_emr_cluster" "tf-test-cluster" { 1125 name = "emr-test-%d" 1126 release_label = "emr-4.6.0" 1127 applications = ["Spark"] 1128 1129 ec2_attributes { 1130 subnet_id = "${aws_subnet.main.id}" 1131 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1132 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1133 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1134 } 1135 1136 master_instance_type = "m3.xlarge" 1137 core_instance_type = "m3.xlarge" 1138 core_instance_count = 1 1139 1140 tags { 1141 dns_zone = "new_zone" 1142 Env = "production" 1143 name = "name-env" 1144 } 1145 1146 keep_job_flow_alive_when_no_steps = true 1147 termination_protection = false 1148 1149 bootstrap_action { 1150 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1151 name = "runif" 1152 args = ["instance.isMaster=true", "echo running on master node"] 1153 } 1154 1155 configurations = "test-fixtures/emr_configurations.json" 1156 1157 depends_on = ["aws_main_route_table_association.a"] 1158 1159 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1160 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1161 } 1162 1163 resource "aws_security_group" "allow_all" { 1164 name = "allow_all" 1165 description = "Allow all inbound traffic" 1166 vpc_id = "${aws_vpc.main.id}" 1167 1168 ingress { 1169 from_port = 0 1170 to_port = 0 1171 protocol = "-1" 1172 cidr_blocks = ["0.0.0.0/0"] 1173 } 1174 1175 egress { 1176 from_port = 0 1177 to_port = 0 1178 protocol = "-1" 1179 cidr_blocks = ["0.0.0.0/0"] 1180 } 1181 1182 depends_on = ["aws_subnet.main"] 1183 1184 lifecycle { 1185 ignore_changes = ["ingress", "egress"] 1186 } 1187 1188 tags { 1189 name = "emr_test" 1190 } 1191 } 1192 1193 resource "aws_vpc" "main" { 1194 cidr_block = "168.31.0.0/16" 1195 enable_dns_hostnames = true 1196 1197 tags { 1198 name = "emr_test" 1199 } 1200 } 1201 1202 resource "aws_subnet" "main" { 1203 vpc_id = "${aws_vpc.main.id}" 1204 cidr_block = "168.31.0.0/20" 1205 1206 tags { 1207 name = "emr_test" 1208 } 1209 } 1210 1211 resource "aws_internet_gateway" "gw" { 1212 vpc_id = "${aws_vpc.main.id}" 1213 } 1214 1215 resource "aws_route_table" "r" { 1216 vpc_id = "${aws_vpc.main.id}" 1217 1218 route { 1219 cidr_block = "0.0.0.0/0" 1220 gateway_id = "${aws_internet_gateway.gw.id}" 1221 } 1222 } 1223 1224 resource "aws_main_route_table_association" "a" { 1225 vpc_id = "${aws_vpc.main.id}" 1226 route_table_id = "${aws_route_table.r.id}" 1227 } 1228 1229 ### 1230 1231 # IAM things 1232 1233 ### 1234 1235 # IAM role for EMR Service 1236 resource "aws_iam_role" "iam_emr_default_role" { 1237 name = "iam_emr_default_role_%d" 1238 1239 assume_role_policy = <<EOT 1240 { 1241 "Version": "2008-10-17", 1242 "Statement": [ 1243 { 1244 "Sid": "", 1245 "Effect": "Allow", 1246 "Principal": { 1247 "Service": "elasticmapreduce.amazonaws.com" 1248 }, 1249 "Action": "sts:AssumeRole" 1250 } 1251 ] 1252 } 1253 EOT 1254 } 1255 1256 resource "aws_iam_role_policy_attachment" "service-attach" { 1257 role = "${aws_iam_role.iam_emr_default_role.id}" 1258 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1259 } 1260 1261 resource "aws_iam_policy" "iam_emr_default_policy" { 1262 name = "iam_emr_default_policy_%d" 1263 1264 policy = <<EOT 1265 { 1266 "Version": "2012-10-17", 1267 "Statement": [{ 1268 "Effect": "Allow", 1269 "Resource": "*", 1270 "Action": [ 1271 "ec2:AuthorizeSecurityGroupEgress", 1272 "ec2:AuthorizeSecurityGroupIngress", 1273 "ec2:CancelSpotInstanceRequests", 1274 "ec2:CreateNetworkInterface", 1275 "ec2:CreateSecurityGroup", 1276 "ec2:CreateTags", 1277 "ec2:DeleteNetworkInterface", 1278 "ec2:DeleteSecurityGroup", 1279 "ec2:DeleteTags", 1280 "ec2:DescribeAvailabilityZones", 1281 "ec2:DescribeAccountAttributes", 1282 "ec2:DescribeDhcpOptions", 1283 "ec2:DescribeInstanceStatus", 1284 "ec2:DescribeInstances", 1285 "ec2:DescribeKeyPairs", 1286 "ec2:DescribeNetworkAcls", 1287 "ec2:DescribeNetworkInterfaces", 1288 "ec2:DescribePrefixLists", 1289 "ec2:DescribeRouteTables", 1290 "ec2:DescribeSecurityGroups", 1291 "ec2:DescribeSpotInstanceRequests", 1292 "ec2:DescribeSpotPriceHistory", 1293 "ec2:DescribeSubnets", 1294 "ec2:DescribeVpcAttribute", 1295 "ec2:DescribeVpcEndpoints", 1296 "ec2:DescribeVpcEndpointServices", 1297 "ec2:DescribeVpcs", 1298 "ec2:DetachNetworkInterface", 1299 "ec2:ModifyImageAttribute", 1300 "ec2:ModifyInstanceAttribute", 1301 "ec2:RequestSpotInstances", 1302 "ec2:RevokeSecurityGroupEgress", 1303 "ec2:RunInstances", 1304 "ec2:TerminateInstances", 1305 "ec2:DeleteVolume", 1306 "ec2:DescribeVolumeStatus", 1307 "ec2:DescribeVolumes", 1308 "ec2:DetachVolume", 1309 "iam:GetRole", 1310 "iam:GetRolePolicy", 1311 "iam:ListInstanceProfiles", 1312 "iam:ListRolePolicies", 1313 "iam:PassRole", 1314 "s3:CreateBucket", 1315 "s3:Get*", 1316 "s3:List*", 1317 "sdb:BatchPutAttributes", 1318 "sdb:Select", 1319 "sqs:CreateQueue", 1320 "sqs:Delete*", 1321 "sqs:GetQueue*", 1322 "sqs:PurgeQueue", 1323 "sqs:ReceiveMessage" 1324 ] 1325 }] 1326 } 1327 EOT 1328 } 1329 1330 # IAM Role for EC2 Instance Profile 1331 resource "aws_iam_role" "iam_emr_profile_role" { 1332 name = "iam_emr_profile_role_%d" 1333 1334 assume_role_policy = <<EOT 1335 { 1336 "Version": "2008-10-17", 1337 "Statement": [ 1338 { 1339 "Sid": "", 1340 "Effect": "Allow", 1341 "Principal": { 1342 "Service": "ec2.amazonaws.com" 1343 }, 1344 "Action": "sts:AssumeRole" 1345 } 1346 ] 1347 } 1348 EOT 1349 } 1350 1351 resource "aws_iam_instance_profile" "emr_profile" { 1352 name = "emr_profile_%d" 1353 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1354 } 1355 1356 resource "aws_iam_role_policy_attachment" "profile-attach" { 1357 role = "${aws_iam_role.iam_emr_profile_role.id}" 1358 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1359 } 1360 1361 resource "aws_iam_policy" "iam_emr_profile_policy" { 1362 name = "iam_emr_profile_policy_%d" 1363 1364 policy = <<EOT 1365 { 1366 "Version": "2012-10-17", 1367 "Statement": [{ 1368 "Effect": "Allow", 1369 "Resource": "*", 1370 "Action": [ 1371 "cloudwatch:*", 1372 "dynamodb:*", 1373 "ec2:Describe*", 1374 "elasticmapreduce:Describe*", 1375 "elasticmapreduce:ListBootstrapActions", 1376 "elasticmapreduce:ListClusters", 1377 "elasticmapreduce:ListInstanceGroups", 1378 "elasticmapreduce:ListInstances", 1379 "elasticmapreduce:ListSteps", 1380 "kinesis:CreateStream", 1381 "kinesis:DeleteStream", 1382 "kinesis:DescribeStream", 1383 "kinesis:GetRecords", 1384 "kinesis:GetShardIterator", 1385 "kinesis:MergeShards", 1386 "kinesis:PutRecord", 1387 "kinesis:SplitShard", 1388 "rds:Describe*", 1389 "s3:*", 1390 "sdb:*", 1391 "sns:*", 1392 "sqs:*" 1393 ] 1394 }] 1395 } 1396 EOT 1397 } 1398 1399 # IAM Role for autoscaling 1400 resource "aws_iam_role" "emr-autoscaling-role" { 1401 name = "EMR_AutoScaling_DefaultRole" 1402 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1403 } 1404 1405 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1406 statement { 1407 effect = "Allow" 1408 actions = ["sts:AssumeRole"] 1409 1410 principals = { 1411 type = "Service" 1412 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1413 } 1414 } 1415 } 1416 1417 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1418 role = "${aws_iam_role.emr-autoscaling-role.name}" 1419 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1420 } 1421 `, r, r, r, r, r, r) 1422 }