github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/builtin/providers/aws/resource_aws_emr_cluster_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "log" 6 "reflect" 7 "testing" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awserr" 11 "github.com/aws/aws-sdk-go/service/emr" 12 "github.com/hashicorp/terraform/helper/acctest" 13 "github.com/hashicorp/terraform/helper/resource" 14 "github.com/hashicorp/terraform/terraform" 15 ) 16 17 func TestAccAWSEMRCluster_basic(t *testing.T) { 18 var cluster emr.Cluster 19 r := acctest.RandInt() 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckAWSEmrDestroy, 24 Steps: []resource.TestStep{ 25 { 26 Config: testAccAWSEmrClusterConfig(r), 27 Check: testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 28 }, 29 }, 30 }) 31 } 32 33 func TestAccAWSEMRCluster_security_config(t *testing.T) { 34 var cluster emr.Cluster 35 r := acctest.RandInt() 36 resource.Test(t, resource.TestCase{ 37 PreCheck: func() { testAccPreCheck(t) }, 38 Providers: testAccProviders, 39 CheckDestroy: testAccCheckAWSEmrDestroy, 40 Steps: []resource.TestStep{ 41 { 42 Config: testAccAWSEmrClusterConfig_SecurityConfiguration(r), 43 Check: testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 44 }, 45 }, 46 }) 47 } 48 49 func TestAccAWSEMRCluster_bootstrap_ordering(t *testing.T) { 50 var cluster emr.Cluster 51 rName := acctest.RandomWithPrefix("tf-emr-bootstrap") 52 argsInts := []string{ 53 "1", 54 "2", 55 "3", 56 "4", 57 "5", 58 "6", 59 "7", 60 "8", 61 "9", 62 "10", 63 } 64 65 argsStrings := []string{ 66 "instance.isMaster=true", 67 "echo running on master node", 68 } 69 70 resource.Test(t, resource.TestCase{ 71 PreCheck: func() { testAccPreCheck(t) }, 72 Providers: testAccProviders, 73 CheckDestroy: testAccCheckAWSEmrDestroy, 74 Steps: []resource.TestStep{ 75 { 76 Config: testAccAWSEmrClusterConfig_bootstrap(rName), 77 Check: resource.ComposeTestCheckFunc( 78 testAccCheckAWSEmrClusterExists("aws_emr_cluster.test", &cluster), 79 testAccCheck_bootstrap_order(&cluster, argsInts, argsStrings), 80 ), 81 }, 82 }, 83 }) 84 } 85 86 func TestAccAWSEMRCluster_terminationProtected(t *testing.T) { 87 var cluster emr.Cluster 88 r := acctest.RandInt() 89 resource.Test(t, resource.TestCase{ 90 PreCheck: func() { testAccPreCheck(t) }, 91 Providers: testAccProviders, 92 CheckDestroy: testAccCheckAWSEmrDestroy, 93 Steps: []resource.TestStep{ 94 { 95 Config: testAccAWSEmrClusterConfig(r), 96 Check: resource.ComposeTestCheckFunc( 97 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 98 resource.TestCheckResourceAttr( 99 "aws_emr_cluster.tf-test-cluster", "termination_protection", "false"), 100 ), 101 }, 102 { 103 Config: testAccAWSEmrClusterConfigTerminationPolicyUpdated(r), 104 Check: resource.ComposeTestCheckFunc( 105 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 106 resource.TestCheckResourceAttr( 107 "aws_emr_cluster.tf-test-cluster", "termination_protection", "true"), 108 ), 109 }, 110 { 111 //Need to turn off termination_protection to allow the job to be deleted 112 Config: testAccAWSEmrClusterConfig(r), 113 Check: resource.ComposeTestCheckFunc( 114 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 115 ), 116 }, 117 }, 118 }) 119 } 120 121 func TestAccAWSEMRCluster_visibleToAllUsers(t *testing.T) { 122 var cluster emr.Cluster 123 r := acctest.RandInt() 124 resource.Test(t, resource.TestCase{ 125 PreCheck: func() { testAccPreCheck(t) }, 126 Providers: testAccProviders, 127 CheckDestroy: testAccCheckAWSEmrDestroy, 128 Steps: []resource.TestStep{ 129 { 130 Config: testAccAWSEmrClusterConfig(r), 131 Check: resource.ComposeTestCheckFunc( 132 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 133 resource.TestCheckResourceAttr( 134 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "true"), 135 ), 136 }, 137 { 138 Config: testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r), 139 Check: resource.ComposeTestCheckFunc( 140 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 141 resource.TestCheckResourceAttr( 142 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "false"), 143 ), 144 }, 145 }, 146 }) 147 } 148 149 func TestAccAWSEMRCluster_tags(t *testing.T) { 150 var cluster emr.Cluster 151 r := acctest.RandInt() 152 resource.Test(t, resource.TestCase{ 153 PreCheck: func() { testAccPreCheck(t) }, 154 Providers: testAccProviders, 155 CheckDestroy: testAccCheckAWSEmrDestroy, 156 Steps: []resource.TestStep{ 157 { 158 Config: testAccAWSEmrClusterConfig(r), 159 Check: resource.ComposeTestCheckFunc( 160 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 161 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "4"), 162 resource.TestCheckResourceAttr( 163 "aws_emr_cluster.tf-test-cluster", "tags.role", "rolename"), 164 resource.TestCheckResourceAttr( 165 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "env_zone"), 166 resource.TestCheckResourceAttr( 167 "aws_emr_cluster.tf-test-cluster", "tags.env", "env"), 168 resource.TestCheckResourceAttr( 169 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env")), 170 }, 171 { 172 Config: testAccAWSEmrClusterConfigUpdatedTags(r), 173 Check: resource.ComposeTestCheckFunc( 174 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &cluster), 175 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "3"), 176 resource.TestCheckResourceAttr( 177 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "new_zone"), 178 resource.TestCheckResourceAttr( 179 "aws_emr_cluster.tf-test-cluster", "tags.Env", "production"), 180 resource.TestCheckResourceAttr( 181 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env"), 182 ), 183 }, 184 }, 185 }) 186 } 187 188 func testAccCheck_bootstrap_order(cluster *emr.Cluster, argsInts, argsStrings []string) resource.TestCheckFunc { 189 return func(s *terraform.State) error { 190 191 emrconn := testAccProvider.Meta().(*AWSClient).emrconn 192 req := emr.ListBootstrapActionsInput{ 193 ClusterId: cluster.Id, 194 } 195 196 resp, err := emrconn.ListBootstrapActions(&req) 197 if err != nil { 198 return fmt.Errorf("[ERR] Error listing boostrap actions in test: %s", err) 199 } 200 201 // make sure we actually checked something 202 var ran bool 203 for _, ba := range resp.BootstrapActions { 204 // assume name matches the config 205 rArgs := aws.StringValueSlice(ba.Args) 206 if *ba.Name == "test" { 207 ran = true 208 if !reflect.DeepEqual(argsInts, rArgs) { 209 return fmt.Errorf("Error matching Bootstrap args:\n\texpected: %#v\n\tgot: %#v", argsInts, rArgs) 210 } 211 } else if *ba.Name == "runif" { 212 ran = true 213 if !reflect.DeepEqual(argsStrings, rArgs) { 214 return fmt.Errorf("Error matching Bootstrap args:\n\texpected: %#v\n\tgot: %#v", argsStrings, rArgs) 215 } 216 } 217 } 218 219 if !ran { 220 return fmt.Errorf("Expected to compare bootstrap actions, but no checks were ran") 221 } 222 223 return nil 224 } 225 } 226 227 func testAccCheckAWSEmrDestroy(s *terraform.State) error { 228 conn := testAccProvider.Meta().(*AWSClient).emrconn 229 230 for _, rs := range s.RootModule().Resources { 231 if rs.Type != "aws_emr_cluster" { 232 continue 233 } 234 235 params := &emr.DescribeClusterInput{ 236 ClusterId: aws.String(rs.Primary.ID), 237 } 238 239 describe, err := conn.DescribeCluster(params) 240 241 if err == nil { 242 if describe.Cluster != nil && 243 *describe.Cluster.Status.State == "WAITING" { 244 return fmt.Errorf("EMR Cluster still exists") 245 } 246 } 247 248 providerErr, ok := err.(awserr.Error) 249 if !ok { 250 return err 251 } 252 253 log.Printf("[ERROR] %v", providerErr) 254 } 255 256 return nil 257 } 258 259 func testAccCheckAWSEmrClusterExists(n string, v *emr.Cluster) resource.TestCheckFunc { 260 return func(s *terraform.State) error { 261 rs, ok := s.RootModule().Resources[n] 262 if !ok { 263 return fmt.Errorf("Not found: %s", n) 264 } 265 if rs.Primary.ID == "" { 266 return fmt.Errorf("No cluster id set") 267 } 268 conn := testAccProvider.Meta().(*AWSClient).emrconn 269 describe, err := conn.DescribeCluster(&emr.DescribeClusterInput{ 270 ClusterId: aws.String(rs.Primary.ID), 271 }) 272 if err != nil { 273 return fmt.Errorf("EMR error: %v", err) 274 } 275 276 if describe.Cluster != nil && 277 *describe.Cluster.Id != rs.Primary.ID { 278 return fmt.Errorf("EMR cluser not found") 279 } 280 281 *v = *describe.Cluster 282 283 if describe.Cluster != nil && 284 *describe.Cluster.Status.State != "WAITING" { 285 return fmt.Errorf("EMR cluser is not up yet") 286 } 287 288 return nil 289 } 290 } 291 292 func testAccAWSEmrClusterConfig_bootstrap(r string) string { 293 return fmt.Sprintf(` 294 resource "aws_emr_cluster" "test" { 295 count = 1 296 name = "%s" 297 release_label = "emr-5.0.0" 298 applications = ["Hadoop", "Hive"] 299 log_uri = "s3n://terraform/testlog/" 300 master_instance_type = "m4.large" 301 core_instance_type = "m1.small" 302 core_instance_count = 1 303 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 304 305 depends_on = ["aws_main_route_table_association.a"] 306 307 ec2_attributes { 308 subnet_id = "${aws_subnet.main.id}" 309 310 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 311 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 312 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 313 } 314 315 bootstrap_action { 316 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 317 name = "runif" 318 args = ["instance.isMaster=true", "echo running on master node"] 319 } 320 321 bootstrap_action = [ 322 { 323 path = "s3://${aws_s3_bucket.tester.bucket}/testscript.sh" 324 name = "test" 325 326 args = ["1", 327 "2", 328 "3", 329 "4", 330 "5", 331 "6", 332 "7", 333 "8", 334 "9", 335 "10", 336 ] 337 }, 338 ] 339 } 340 341 resource "aws_iam_instance_profile" "emr_profile" { 342 name = "%s_profile" 343 role = "${aws_iam_role.iam_emr_profile_role.name}" 344 } 345 346 resource "aws_iam_role" "iam_emr_default_role" { 347 name = "%s_default_role" 348 349 assume_role_policy = <<EOT 350 { 351 "Version": "2008-10-17", 352 "Statement": [ 353 { 354 "Sid": "", 355 "Effect": "Allow", 356 "Principal": { 357 "Service": "elasticmapreduce.amazonaws.com" 358 }, 359 "Action": "sts:AssumeRole" 360 } 361 ] 362 } 363 EOT 364 } 365 366 resource "aws_iam_role" "iam_emr_profile_role" { 367 name = "%s_profile_role" 368 369 assume_role_policy = <<EOT 370 { 371 "Version": "2008-10-17", 372 "Statement": [ 373 { 374 "Sid": "", 375 "Effect": "Allow", 376 "Principal": { 377 "Service": "ec2.amazonaws.com" 378 }, 379 "Action": "sts:AssumeRole" 380 } 381 ] 382 } 383 EOT 384 } 385 386 resource "aws_iam_role_policy_attachment" "profile-attach" { 387 role = "${aws_iam_role.iam_emr_profile_role.id}" 388 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 389 } 390 391 resource "aws_iam_role_policy_attachment" "service-attach" { 392 role = "${aws_iam_role.iam_emr_default_role.id}" 393 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 394 } 395 396 resource "aws_iam_policy" "iam_emr_default_policy" { 397 name = "%s_emr" 398 399 policy = <<EOT 400 { 401 "Version": "2012-10-17", 402 "Statement": [{ 403 "Effect": "Allow", 404 "Resource": "*", 405 "Action": [ 406 "ec2:AuthorizeSecurityGroupEgress", 407 "ec2:AuthorizeSecurityGroupIngress", 408 "ec2:CancelSpotInstanceRequests", 409 "ec2:CreateNetworkInterface", 410 "ec2:CreateSecurityGroup", 411 "ec2:CreateTags", 412 "ec2:DeleteNetworkInterface", 413 "ec2:DeleteSecurityGroup", 414 "ec2:DeleteTags", 415 "ec2:DescribeAvailabilityZones", 416 "ec2:DescribeAccountAttributes", 417 "ec2:DescribeDhcpOptions", 418 "ec2:DescribeInstanceStatus", 419 "ec2:DescribeInstances", 420 "ec2:DescribeKeyPairs", 421 "ec2:DescribeNetworkAcls", 422 "ec2:DescribeNetworkInterfaces", 423 "ec2:DescribePrefixLists", 424 "ec2:DescribeRouteTables", 425 "ec2:DescribeSecurityGroups", 426 "ec2:DescribeSpotInstanceRequests", 427 "ec2:DescribeSpotPriceHistory", 428 "ec2:DescribeSubnets", 429 "ec2:DescribeVpcAttribute", 430 "ec2:DescribeVpcEndpoints", 431 "ec2:DescribeVpcEndpointServices", 432 "ec2:DescribeVpcs", 433 "ec2:DetachNetworkInterface", 434 "ec2:ModifyImageAttribute", 435 "ec2:ModifyInstanceAttribute", 436 "ec2:RequestSpotInstances", 437 "ec2:RevokeSecurityGroupEgress", 438 "ec2:RunInstances", 439 "ec2:TerminateInstances", 440 "ec2:DeleteVolume", 441 "ec2:DescribeVolumeStatus", 442 "iam:GetRole", 443 "iam:GetRolePolicy", 444 "iam:ListInstanceProfiles", 445 "iam:ListRolePolicies", 446 "iam:PassRole", 447 "s3:CreateBucket", 448 "s3:Get*", 449 "s3:List*", 450 "sdb:BatchPutAttributes", 451 "sdb:Select", 452 "sqs:CreateQueue", 453 "sqs:Delete*", 454 "sqs:GetQueue*", 455 "sqs:PurgeQueue", 456 "sqs:ReceiveMessage" 457 ] 458 }] 459 } 460 EOT 461 } 462 463 resource "aws_iam_policy" "iam_emr_profile_policy" { 464 name = "%s_profile" 465 466 policy = <<EOT 467 { 468 "Version": "2012-10-17", 469 "Statement": [{ 470 "Effect": "Allow", 471 "Resource": "*", 472 "Action": [ 473 "cloudwatch:*", 474 "dynamodb:*", 475 "ec2:Describe*", 476 "elasticmapreduce:Describe*", 477 "elasticmapreduce:ListBootstrapActions", 478 "elasticmapreduce:ListClusters", 479 "elasticmapreduce:ListInstanceGroups", 480 "elasticmapreduce:ListInstances", 481 "elasticmapreduce:ListSteps", 482 "kinesis:CreateStream", 483 "kinesis:DeleteStream", 484 "kinesis:DescribeStream", 485 "kinesis:GetRecords", 486 "kinesis:GetShardIterator", 487 "kinesis:MergeShards", 488 "kinesis:PutRecord", 489 "kinesis:SplitShard", 490 "rds:Describe*", 491 "s3:*", 492 "sdb:*", 493 "sns:*", 494 "sqs:*" 495 ] 496 }] 497 } 498 EOT 499 } 500 501 resource "aws_vpc" "main" { 502 cidr_block = "168.31.0.0/16" 503 enable_dns_hostnames = true 504 505 tags { 506 name = "emr_test_cts" 507 } 508 } 509 510 resource "aws_subnet" "main" { 511 vpc_id = "${aws_vpc.main.id}" 512 cidr_block = "168.31.0.0/20" 513 514 tags { 515 name = "emr_test_cts" 516 } 517 } 518 519 resource "aws_internet_gateway" "gw" { 520 vpc_id = "${aws_vpc.main.id}" 521 } 522 523 resource "aws_route_table" "r" { 524 vpc_id = "${aws_vpc.main.id}" 525 526 route { 527 cidr_block = "0.0.0.0/0" 528 gateway_id = "${aws_internet_gateway.gw.id}" 529 } 530 } 531 532 resource "aws_main_route_table_association" "a" { 533 vpc_id = "${aws_vpc.main.id}" 534 route_table_id = "${aws_route_table.r.id}" 535 } 536 537 resource "aws_security_group" "allow_all" { 538 name = "allow_all" 539 description = "Allow all inbound traffic" 540 vpc_id = "${aws_vpc.main.id}" 541 542 ingress { 543 from_port = 0 544 to_port = 0 545 protocol = "-1" 546 cidr_blocks = ["0.0.0.0/0"] 547 } 548 549 egress { 550 from_port = 0 551 to_port = 0 552 protocol = "-1" 553 cidr_blocks = ["0.0.0.0/0"] 554 } 555 556 depends_on = ["aws_subnet.main"] 557 558 lifecycle { 559 ignore_changes = ["ingress", "egress"] 560 } 561 562 tags { 563 name = "emr_test" 564 } 565 } 566 567 output "cluser_id" { 568 value = "${aws_emr_cluster.test.id}" 569 } 570 571 resource "aws_s3_bucket" "tester" { 572 bucket = "%s" 573 acl = "public-read" 574 } 575 576 resource "aws_s3_bucket_object" "testobject" { 577 bucket = "${aws_s3_bucket.tester.bucket}" 578 key = "testscript.sh" 579 580 #source = "testscript.sh" 581 content = "${data.template_file.testscript.rendered}" 582 acl = "public-read" 583 } 584 585 data "template_file" "testscript" { 586 template = <<POLICY 587 #!/bin/bash 588 589 echo $@ 590 POLICY 591 }`, r, r, r, r, r, r, r) 592 } 593 594 func testAccAWSEmrClusterConfig(r int) string { 595 return fmt.Sprintf(` 596 provider "aws" { 597 region = "us-west-2" 598 } 599 600 resource "aws_emr_cluster" "tf-test-cluster" { 601 name = "emr-test-%d" 602 release_label = "emr-4.6.0" 603 applications = ["Spark"] 604 605 ec2_attributes { 606 subnet_id = "${aws_subnet.main.id}" 607 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 608 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 609 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 610 } 611 612 master_instance_type = "m3.xlarge" 613 core_instance_type = "m3.xlarge" 614 core_instance_count = 1 615 616 tags { 617 role = "rolename" 618 dns_zone = "env_zone" 619 env = "env" 620 name = "name-env" 621 } 622 623 keep_job_flow_alive_when_no_steps = true 624 termination_protection = false 625 626 bootstrap_action { 627 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 628 name = "runif" 629 args = ["instance.isMaster=true", "echo running on master node"] 630 } 631 632 configurations = "test-fixtures/emr_configurations.json" 633 634 depends_on = ["aws_main_route_table_association.a"] 635 636 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 637 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 638 } 639 640 resource "aws_security_group" "allow_all" { 641 name = "allow_all_%d" 642 description = "Allow all inbound traffic" 643 vpc_id = "${aws_vpc.main.id}" 644 645 ingress { 646 from_port = 0 647 to_port = 0 648 protocol = "-1" 649 cidr_blocks = ["0.0.0.0/0"] 650 } 651 652 egress { 653 from_port = 0 654 to_port = 0 655 protocol = "-1" 656 cidr_blocks = ["0.0.0.0/0"] 657 } 658 659 depends_on = ["aws_subnet.main"] 660 661 lifecycle { 662 ignore_changes = ["ingress", "egress"] 663 } 664 665 tags { 666 name = "emr_test" 667 } 668 } 669 670 resource "aws_vpc" "main" { 671 cidr_block = "168.31.0.0/16" 672 enable_dns_hostnames = true 673 674 tags { 675 name = "emr_test_%d" 676 } 677 } 678 679 resource "aws_subnet" "main" { 680 vpc_id = "${aws_vpc.main.id}" 681 cidr_block = "168.31.0.0/20" 682 683 tags { 684 name = "emr_test_%d" 685 } 686 } 687 688 resource "aws_internet_gateway" "gw" { 689 vpc_id = "${aws_vpc.main.id}" 690 } 691 692 resource "aws_route_table" "r" { 693 vpc_id = "${aws_vpc.main.id}" 694 695 route { 696 cidr_block = "0.0.0.0/0" 697 gateway_id = "${aws_internet_gateway.gw.id}" 698 } 699 } 700 701 resource "aws_main_route_table_association" "a" { 702 vpc_id = "${aws_vpc.main.id}" 703 route_table_id = "${aws_route_table.r.id}" 704 } 705 706 ### 707 708 # IAM things 709 710 ### 711 712 # IAM role for EMR Service 713 resource "aws_iam_role" "iam_emr_default_role" { 714 name = "iam_emr_default_role_%d" 715 716 assume_role_policy = <<EOT 717 { 718 "Version": "2008-10-17", 719 "Statement": [ 720 { 721 "Sid": "", 722 "Effect": "Allow", 723 "Principal": { 724 "Service": "elasticmapreduce.amazonaws.com" 725 }, 726 "Action": "sts:AssumeRole" 727 } 728 ] 729 } 730 EOT 731 } 732 733 resource "aws_iam_role_policy_attachment" "service-attach" { 734 role = "${aws_iam_role.iam_emr_default_role.id}" 735 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 736 } 737 738 resource "aws_iam_policy" "iam_emr_default_policy" { 739 name = "iam_emr_default_policy_%d" 740 741 policy = <<EOT 742 { 743 "Version": "2012-10-17", 744 "Statement": [{ 745 "Effect": "Allow", 746 "Resource": "*", 747 "Action": [ 748 "ec2:AuthorizeSecurityGroupEgress", 749 "ec2:AuthorizeSecurityGroupIngress", 750 "ec2:CancelSpotInstanceRequests", 751 "ec2:CreateNetworkInterface", 752 "ec2:CreateSecurityGroup", 753 "ec2:CreateTags", 754 "ec2:DeleteNetworkInterface", 755 "ec2:DeleteSecurityGroup", 756 "ec2:DeleteTags", 757 "ec2:DescribeAvailabilityZones", 758 "ec2:DescribeAccountAttributes", 759 "ec2:DescribeDhcpOptions", 760 "ec2:DescribeInstanceStatus", 761 "ec2:DescribeInstances", 762 "ec2:DescribeKeyPairs", 763 "ec2:DescribeNetworkAcls", 764 "ec2:DescribeNetworkInterfaces", 765 "ec2:DescribePrefixLists", 766 "ec2:DescribeRouteTables", 767 "ec2:DescribeSecurityGroups", 768 "ec2:DescribeSpotInstanceRequests", 769 "ec2:DescribeSpotPriceHistory", 770 "ec2:DescribeSubnets", 771 "ec2:DescribeVpcAttribute", 772 "ec2:DescribeVpcEndpoints", 773 "ec2:DescribeVpcEndpointServices", 774 "ec2:DescribeVpcs", 775 "ec2:DetachNetworkInterface", 776 "ec2:ModifyImageAttribute", 777 "ec2:ModifyInstanceAttribute", 778 "ec2:RequestSpotInstances", 779 "ec2:RevokeSecurityGroupEgress", 780 "ec2:RunInstances", 781 "ec2:TerminateInstances", 782 "ec2:DeleteVolume", 783 "ec2:DescribeVolumeStatus", 784 "ec2:DescribeVolumes", 785 "ec2:DetachVolume", 786 "iam:GetRole", 787 "iam:GetRolePolicy", 788 "iam:ListInstanceProfiles", 789 "iam:ListRolePolicies", 790 "iam:PassRole", 791 "s3:CreateBucket", 792 "s3:Get*", 793 "s3:List*", 794 "sdb:BatchPutAttributes", 795 "sdb:Select", 796 "sqs:CreateQueue", 797 "sqs:Delete*", 798 "sqs:GetQueue*", 799 "sqs:PurgeQueue", 800 "sqs:ReceiveMessage" 801 ] 802 }] 803 } 804 EOT 805 } 806 807 # IAM Role for EC2 Instance Profile 808 resource "aws_iam_role" "iam_emr_profile_role" { 809 name = "iam_emr_profile_role_%d" 810 811 assume_role_policy = <<EOT 812 { 813 "Version": "2008-10-17", 814 "Statement": [ 815 { 816 "Sid": "", 817 "Effect": "Allow", 818 "Principal": { 819 "Service": "ec2.amazonaws.com" 820 }, 821 "Action": "sts:AssumeRole" 822 } 823 ] 824 } 825 EOT 826 } 827 828 resource "aws_iam_instance_profile" "emr_profile" { 829 name = "emr_profile_%d" 830 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 831 } 832 833 resource "aws_iam_role_policy_attachment" "profile-attach" { 834 role = "${aws_iam_role.iam_emr_profile_role.id}" 835 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 836 } 837 838 resource "aws_iam_policy" "iam_emr_profile_policy" { 839 name = "iam_emr_profile_policy_%d" 840 841 policy = <<EOT 842 { 843 "Version": "2012-10-17", 844 "Statement": [{ 845 "Effect": "Allow", 846 "Resource": "*", 847 "Action": [ 848 "cloudwatch:*", 849 "dynamodb:*", 850 "ec2:Describe*", 851 "elasticmapreduce:Describe*", 852 "elasticmapreduce:ListBootstrapActions", 853 "elasticmapreduce:ListClusters", 854 "elasticmapreduce:ListInstanceGroups", 855 "elasticmapreduce:ListInstances", 856 "elasticmapreduce:ListSteps", 857 "kinesis:CreateStream", 858 "kinesis:DeleteStream", 859 "kinesis:DescribeStream", 860 "kinesis:GetRecords", 861 "kinesis:GetShardIterator", 862 "kinesis:MergeShards", 863 "kinesis:PutRecord", 864 "kinesis:SplitShard", 865 "rds:Describe*", 866 "s3:*", 867 "sdb:*", 868 "sns:*", 869 "sqs:*" 870 ] 871 }] 872 } 873 EOT 874 } 875 876 # IAM Role for autoscaling 877 resource "aws_iam_role" "emr-autoscaling-role" { 878 name = "EMR_AutoScaling_DefaultRole_%d" 879 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 880 } 881 882 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 883 statement { 884 effect = "Allow" 885 actions = ["sts:AssumeRole"] 886 principals = { 887 type = "Service" 888 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 889 } 890 } 891 } 892 893 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 894 role = "${aws_iam_role.emr-autoscaling-role.name}" 895 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 896 } 897 `, r, r, r, r, r, r, r, r, r, r) 898 } 899 900 func testAccAWSEmrClusterConfig_SecurityConfiguration(r int) string { 901 return fmt.Sprintf(` 902 provider "aws" { 903 region = "us-west-2" 904 } 905 906 resource "aws_emr_cluster" "tf-test-cluster" { 907 name = "emr-test-%d" 908 release_label = "emr-5.5.0" 909 applications = ["Spark"] 910 911 ec2_attributes { 912 subnet_id = "${aws_subnet.main.id}" 913 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 914 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 915 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 916 } 917 918 master_instance_type = "m3.xlarge" 919 core_instance_type = "m3.xlarge" 920 core_instance_count = 1 921 922 security_configuration = "${aws_emr_security_configuration.foo.name}" 923 924 tags { 925 role = "rolename" 926 dns_zone = "env_zone" 927 env = "env" 928 name = "name-env" 929 } 930 931 keep_job_flow_alive_when_no_steps = true 932 termination_protection = false 933 934 bootstrap_action { 935 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 936 name = "runif" 937 args = ["instance.isMaster=true", "echo running on master node"] 938 } 939 940 configurations = "test-fixtures/emr_configurations.json" 941 942 depends_on = ["aws_main_route_table_association.a"] 943 944 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 945 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 946 } 947 948 resource "aws_security_group" "allow_all" { 949 name = "allow_all_%d" 950 description = "Allow all inbound traffic" 951 vpc_id = "${aws_vpc.main.id}" 952 953 ingress { 954 from_port = 0 955 to_port = 0 956 protocol = "-1" 957 cidr_blocks = ["0.0.0.0/0"] 958 } 959 960 egress { 961 from_port = 0 962 to_port = 0 963 protocol = "-1" 964 cidr_blocks = ["0.0.0.0/0"] 965 } 966 967 depends_on = ["aws_subnet.main"] 968 969 lifecycle { 970 ignore_changes = ["ingress", "egress"] 971 } 972 973 tags { 974 name = "emr_test" 975 } 976 } 977 978 resource "aws_vpc" "main" { 979 cidr_block = "168.31.0.0/16" 980 enable_dns_hostnames = true 981 982 tags { 983 name = "emr_test_%d" 984 } 985 } 986 987 resource "aws_subnet" "main" { 988 vpc_id = "${aws_vpc.main.id}" 989 cidr_block = "168.31.0.0/20" 990 991 tags { 992 name = "emr_test_%d" 993 } 994 } 995 996 resource "aws_internet_gateway" "gw" { 997 vpc_id = "${aws_vpc.main.id}" 998 } 999 1000 resource "aws_route_table" "r" { 1001 vpc_id = "${aws_vpc.main.id}" 1002 1003 route { 1004 cidr_block = "0.0.0.0/0" 1005 gateway_id = "${aws_internet_gateway.gw.id}" 1006 } 1007 } 1008 1009 resource "aws_main_route_table_association" "a" { 1010 vpc_id = "${aws_vpc.main.id}" 1011 route_table_id = "${aws_route_table.r.id}" 1012 } 1013 1014 ### 1015 1016 # IAM things 1017 1018 ### 1019 1020 # IAM role for EMR Service 1021 resource "aws_iam_role" "iam_emr_default_role" { 1022 name = "iam_emr_default_role_%d" 1023 1024 assume_role_policy = <<EOT 1025 { 1026 "Version": "2008-10-17", 1027 "Statement": [ 1028 { 1029 "Sid": "", 1030 "Effect": "Allow", 1031 "Principal": { 1032 "Service": "elasticmapreduce.amazonaws.com" 1033 }, 1034 "Action": "sts:AssumeRole" 1035 } 1036 ] 1037 } 1038 EOT 1039 } 1040 1041 resource "aws_iam_role_policy_attachment" "service-attach" { 1042 role = "${aws_iam_role.iam_emr_default_role.id}" 1043 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1044 } 1045 1046 resource "aws_iam_policy" "iam_emr_default_policy" { 1047 name = "iam_emr_default_policy_%d" 1048 1049 policy = <<EOT 1050 { 1051 "Version": "2012-10-17", 1052 "Statement": [{ 1053 "Effect": "Allow", 1054 "Resource": "*", 1055 "Action": [ 1056 "ec2:AuthorizeSecurityGroupEgress", 1057 "ec2:AuthorizeSecurityGroupIngress", 1058 "ec2:CancelSpotInstanceRequests", 1059 "ec2:CreateNetworkInterface", 1060 "ec2:CreateSecurityGroup", 1061 "ec2:CreateTags", 1062 "ec2:DeleteNetworkInterface", 1063 "ec2:DeleteSecurityGroup", 1064 "ec2:DeleteTags", 1065 "ec2:DescribeAvailabilityZones", 1066 "ec2:DescribeAccountAttributes", 1067 "ec2:DescribeDhcpOptions", 1068 "ec2:DescribeInstanceStatus", 1069 "ec2:DescribeInstances", 1070 "ec2:DescribeKeyPairs", 1071 "ec2:DescribeNetworkAcls", 1072 "ec2:DescribeNetworkInterfaces", 1073 "ec2:DescribePrefixLists", 1074 "ec2:DescribeRouteTables", 1075 "ec2:DescribeSecurityGroups", 1076 "ec2:DescribeSpotInstanceRequests", 1077 "ec2:DescribeSpotPriceHistory", 1078 "ec2:DescribeSubnets", 1079 "ec2:DescribeVpcAttribute", 1080 "ec2:DescribeVpcEndpoints", 1081 "ec2:DescribeVpcEndpointServices", 1082 "ec2:DescribeVpcs", 1083 "ec2:DetachNetworkInterface", 1084 "ec2:ModifyImageAttribute", 1085 "ec2:ModifyInstanceAttribute", 1086 "ec2:RequestSpotInstances", 1087 "ec2:RevokeSecurityGroupEgress", 1088 "ec2:RunInstances", 1089 "ec2:TerminateInstances", 1090 "ec2:DeleteVolume", 1091 "ec2:DescribeVolumeStatus", 1092 "ec2:DescribeVolumes", 1093 "ec2:DetachVolume", 1094 "iam:GetRole", 1095 "iam:GetRolePolicy", 1096 "iam:ListInstanceProfiles", 1097 "iam:ListRolePolicies", 1098 "iam:PassRole", 1099 "s3:CreateBucket", 1100 "s3:Get*", 1101 "s3:List*", 1102 "sdb:BatchPutAttributes", 1103 "sdb:Select", 1104 "sqs:CreateQueue", 1105 "sqs:Delete*", 1106 "sqs:GetQueue*", 1107 "sqs:PurgeQueue", 1108 "sqs:ReceiveMessage" 1109 ] 1110 }] 1111 } 1112 EOT 1113 } 1114 1115 # IAM Role for EC2 Instance Profile 1116 resource "aws_iam_role" "iam_emr_profile_role" { 1117 name = "iam_emr_profile_role_%d" 1118 1119 assume_role_policy = <<EOT 1120 { 1121 "Version": "2008-10-17", 1122 "Statement": [ 1123 { 1124 "Sid": "", 1125 "Effect": "Allow", 1126 "Principal": { 1127 "Service": "ec2.amazonaws.com" 1128 }, 1129 "Action": "sts:AssumeRole" 1130 } 1131 ] 1132 } 1133 EOT 1134 } 1135 1136 resource "aws_iam_instance_profile" "emr_profile" { 1137 name = "emr_profile_%d" 1138 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1139 } 1140 1141 resource "aws_iam_role_policy_attachment" "profile-attach" { 1142 role = "${aws_iam_role.iam_emr_profile_role.id}" 1143 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1144 } 1145 1146 resource "aws_iam_policy" "iam_emr_profile_policy" { 1147 name = "iam_emr_profile_policy_%d" 1148 1149 policy = <<EOT 1150 { 1151 "Version": "2012-10-17", 1152 "Statement": [{ 1153 "Effect": "Allow", 1154 "Resource": "*", 1155 "Action": [ 1156 "cloudwatch:*", 1157 "dynamodb:*", 1158 "ec2:Describe*", 1159 "elasticmapreduce:Describe*", 1160 "elasticmapreduce:ListBootstrapActions", 1161 "elasticmapreduce:ListClusters", 1162 "elasticmapreduce:ListInstanceGroups", 1163 "elasticmapreduce:ListInstances", 1164 "elasticmapreduce:ListSteps", 1165 "kinesis:CreateStream", 1166 "kinesis:DeleteStream", 1167 "kinesis:DescribeStream", 1168 "kinesis:GetRecords", 1169 "kinesis:GetShardIterator", 1170 "kinesis:MergeShards", 1171 "kinesis:PutRecord", 1172 "kinesis:SplitShard", 1173 "rds:Describe*", 1174 "s3:*", 1175 "sdb:*", 1176 "sns:*", 1177 "sqs:*" 1178 ] 1179 }] 1180 } 1181 EOT 1182 } 1183 1184 # IAM Role for autoscaling 1185 resource "aws_iam_role" "emr-autoscaling-role" { 1186 name = "EMR_AutoScaling_DefaultRole_%d" 1187 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1188 } 1189 1190 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1191 statement { 1192 effect = "Allow" 1193 actions = ["sts:AssumeRole"] 1194 principals = { 1195 type = "Service" 1196 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1197 } 1198 } 1199 } 1200 1201 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1202 role = "${aws_iam_role.emr-autoscaling-role.name}" 1203 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1204 } 1205 1206 resource "aws_emr_security_configuration" "foo" { 1207 configuration = <<EOF 1208 { 1209 "EncryptionConfiguration": { 1210 "AtRestEncryptionConfiguration": { 1211 "S3EncryptionConfiguration": { 1212 "EncryptionMode": "SSE-S3" 1213 }, 1214 "LocalDiskEncryptionConfiguration": { 1215 "EncryptionKeyProviderType": "AwsKms", 1216 "AwsKmsKey": "${aws_kms_key.foo.arn}" 1217 } 1218 }, 1219 "EnableInTransitEncryption": false, 1220 "EnableAtRestEncryption": true 1221 } 1222 } 1223 EOF 1224 } 1225 1226 resource "aws_kms_key" "foo" { 1227 description = "Terraform acc test %d" 1228 deletion_window_in_days = 7 1229 policy = <<POLICY 1230 { 1231 "Version": "2012-10-17", 1232 "Id": "kms-tf-1", 1233 "Statement": [ 1234 { 1235 "Sid": "Enable IAM User Permissions", 1236 "Effect": "Allow", 1237 "Principal": { 1238 "AWS": "*" 1239 }, 1240 "Action": "kms:*", 1241 "Resource": "*" 1242 } 1243 ] 1244 } 1245 POLICY 1246 } 1247 `, r, r, r, r, r, r, r, r, r, r, r) 1248 } 1249 1250 func testAccAWSEmrClusterConfigTerminationPolicyUpdated(r int) string { 1251 return fmt.Sprintf(` 1252 provider "aws" { 1253 region = "us-west-2" 1254 } 1255 1256 resource "aws_emr_cluster" "tf-test-cluster" { 1257 name = "emr-test-%d" 1258 release_label = "emr-4.6.0" 1259 applications = ["Spark"] 1260 1261 ec2_attributes { 1262 subnet_id = "${aws_subnet.main.id}" 1263 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1264 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1265 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1266 } 1267 1268 master_instance_type = "m3.xlarge" 1269 core_instance_type = "m3.xlarge" 1270 core_instance_count = 1 1271 1272 tags { 1273 role = "rolename" 1274 dns_zone = "env_zone" 1275 env = "env" 1276 name = "name-env" 1277 } 1278 1279 keep_job_flow_alive_when_no_steps = true 1280 termination_protection = true 1281 1282 bootstrap_action { 1283 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1284 name = "runif" 1285 args = ["instance.isMaster=true", "echo running on master node"] 1286 } 1287 1288 configurations = "test-fixtures/emr_configurations.json" 1289 1290 depends_on = ["aws_main_route_table_association.a"] 1291 1292 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1293 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1294 } 1295 1296 resource "aws_security_group" "allow_all" { 1297 name = "allow_all_%d" 1298 description = "Allow all inbound traffic" 1299 vpc_id = "${aws_vpc.main.id}" 1300 1301 ingress { 1302 from_port = 0 1303 to_port = 0 1304 protocol = "-1" 1305 cidr_blocks = ["0.0.0.0/0"] 1306 } 1307 1308 egress { 1309 from_port = 0 1310 to_port = 0 1311 protocol = "-1" 1312 cidr_blocks = ["0.0.0.0/0"] 1313 } 1314 1315 depends_on = ["aws_subnet.main"] 1316 1317 lifecycle { 1318 ignore_changes = ["ingress", "egress"] 1319 } 1320 1321 tags { 1322 name = "emr_test" 1323 } 1324 } 1325 1326 resource "aws_vpc" "main" { 1327 cidr_block = "168.31.0.0/16" 1328 enable_dns_hostnames = true 1329 1330 tags { 1331 name = "emr_test_%d" 1332 } 1333 } 1334 1335 resource "aws_subnet" "main" { 1336 vpc_id = "${aws_vpc.main.id}" 1337 cidr_block = "168.31.0.0/20" 1338 1339 tags { 1340 name = "emr_test_%d" 1341 } 1342 } 1343 1344 resource "aws_internet_gateway" "gw" { 1345 vpc_id = "${aws_vpc.main.id}" 1346 } 1347 1348 resource "aws_route_table" "r" { 1349 vpc_id = "${aws_vpc.main.id}" 1350 1351 route { 1352 cidr_block = "0.0.0.0/0" 1353 gateway_id = "${aws_internet_gateway.gw.id}" 1354 } 1355 } 1356 1357 resource "aws_main_route_table_association" "a" { 1358 vpc_id = "${aws_vpc.main.id}" 1359 route_table_id = "${aws_route_table.r.id}" 1360 } 1361 1362 ### 1363 1364 # IAM things 1365 1366 ### 1367 1368 # IAM role for EMR Service 1369 resource "aws_iam_role" "iam_emr_default_role" { 1370 name = "iam_emr_default_role_%d" 1371 1372 assume_role_policy = <<EOT 1373 { 1374 "Version": "2008-10-17", 1375 "Statement": [ 1376 { 1377 "Sid": "", 1378 "Effect": "Allow", 1379 "Principal": { 1380 "Service": "elasticmapreduce.amazonaws.com" 1381 }, 1382 "Action": "sts:AssumeRole" 1383 } 1384 ] 1385 } 1386 EOT 1387 } 1388 1389 resource "aws_iam_role_policy_attachment" "service-attach" { 1390 role = "${aws_iam_role.iam_emr_default_role.id}" 1391 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1392 } 1393 1394 resource "aws_iam_policy" "iam_emr_default_policy" { 1395 name = "iam_emr_default_policy_%d" 1396 1397 policy = <<EOT 1398 { 1399 "Version": "2012-10-17", 1400 "Statement": [{ 1401 "Effect": "Allow", 1402 "Resource": "*", 1403 "Action": [ 1404 "ec2:AuthorizeSecurityGroupEgress", 1405 "ec2:AuthorizeSecurityGroupIngress", 1406 "ec2:CancelSpotInstanceRequests", 1407 "ec2:CreateNetworkInterface", 1408 "ec2:CreateSecurityGroup", 1409 "ec2:CreateTags", 1410 "ec2:DeleteNetworkInterface", 1411 "ec2:DeleteSecurityGroup", 1412 "ec2:DeleteTags", 1413 "ec2:DescribeAvailabilityZones", 1414 "ec2:DescribeAccountAttributes", 1415 "ec2:DescribeDhcpOptions", 1416 "ec2:DescribeInstanceStatus", 1417 "ec2:DescribeInstances", 1418 "ec2:DescribeKeyPairs", 1419 "ec2:DescribeNetworkAcls", 1420 "ec2:DescribeNetworkInterfaces", 1421 "ec2:DescribePrefixLists", 1422 "ec2:DescribeRouteTables", 1423 "ec2:DescribeSecurityGroups", 1424 "ec2:DescribeSpotInstanceRequests", 1425 "ec2:DescribeSpotPriceHistory", 1426 "ec2:DescribeSubnets", 1427 "ec2:DescribeVpcAttribute", 1428 "ec2:DescribeVpcEndpoints", 1429 "ec2:DescribeVpcEndpointServices", 1430 "ec2:DescribeVpcs", 1431 "ec2:DetachNetworkInterface", 1432 "ec2:ModifyImageAttribute", 1433 "ec2:ModifyInstanceAttribute", 1434 "ec2:RequestSpotInstances", 1435 "ec2:RevokeSecurityGroupEgress", 1436 "ec2:RunInstances", 1437 "ec2:TerminateInstances", 1438 "ec2:DeleteVolume", 1439 "ec2:DescribeVolumeStatus", 1440 "ec2:DescribeVolumes", 1441 "ec2:DetachVolume", 1442 "iam:GetRole", 1443 "iam:GetRolePolicy", 1444 "iam:ListInstanceProfiles", 1445 "iam:ListRolePolicies", 1446 "iam:PassRole", 1447 "s3:CreateBucket", 1448 "s3:Get*", 1449 "s3:List*", 1450 "sdb:BatchPutAttributes", 1451 "sdb:Select", 1452 "sqs:CreateQueue", 1453 "sqs:Delete*", 1454 "sqs:GetQueue*", 1455 "sqs:PurgeQueue", 1456 "sqs:ReceiveMessage" 1457 ] 1458 }] 1459 } 1460 EOT 1461 } 1462 1463 # IAM Role for EC2 Instance Profile 1464 resource "aws_iam_role" "iam_emr_profile_role" { 1465 name = "iam_emr_profile_role_%d" 1466 1467 assume_role_policy = <<EOT 1468 { 1469 "Version": "2008-10-17", 1470 "Statement": [ 1471 { 1472 "Sid": "", 1473 "Effect": "Allow", 1474 "Principal": { 1475 "Service": "ec2.amazonaws.com" 1476 }, 1477 "Action": "sts:AssumeRole" 1478 } 1479 ] 1480 } 1481 EOT 1482 } 1483 1484 resource "aws_iam_instance_profile" "emr_profile" { 1485 name = "emr_profile_%d" 1486 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1487 } 1488 1489 resource "aws_iam_role_policy_attachment" "profile-attach" { 1490 role = "${aws_iam_role.iam_emr_profile_role.id}" 1491 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1492 } 1493 1494 resource "aws_iam_policy" "iam_emr_profile_policy" { 1495 name = "iam_emr_profile_policy_%d" 1496 1497 policy = <<EOT 1498 { 1499 "Version": "2012-10-17", 1500 "Statement": [{ 1501 "Effect": "Allow", 1502 "Resource": "*", 1503 "Action": [ 1504 "cloudwatch:*", 1505 "dynamodb:*", 1506 "ec2:Describe*", 1507 "elasticmapreduce:Describe*", 1508 "elasticmapreduce:ListBootstrapActions", 1509 "elasticmapreduce:ListClusters", 1510 "elasticmapreduce:ListInstanceGroups", 1511 "elasticmapreduce:ListInstances", 1512 "elasticmapreduce:ListSteps", 1513 "kinesis:CreateStream", 1514 "kinesis:DeleteStream", 1515 "kinesis:DescribeStream", 1516 "kinesis:GetRecords", 1517 "kinesis:GetShardIterator", 1518 "kinesis:MergeShards", 1519 "kinesis:PutRecord", 1520 "kinesis:SplitShard", 1521 "rds:Describe*", 1522 "s3:*", 1523 "sdb:*", 1524 "sns:*", 1525 "sqs:*" 1526 ] 1527 }] 1528 } 1529 EOT 1530 } 1531 1532 # IAM Role for autoscaling 1533 resource "aws_iam_role" "emr-autoscaling-role" { 1534 name = "EMR_AutoScaling_DefaultRole_%d" 1535 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1536 } 1537 1538 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1539 statement { 1540 effect = "Allow" 1541 actions = ["sts:AssumeRole"] 1542 1543 principals = { 1544 type = "Service" 1545 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1546 } 1547 } 1548 } 1549 1550 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1551 role = "${aws_iam_role.emr-autoscaling-role.name}" 1552 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1553 } 1554 `, r, r, r, r, r, r, r, r, r, r) 1555 } 1556 1557 func testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r int) string { 1558 return fmt.Sprintf(` 1559 provider "aws" { 1560 region = "us-west-2" 1561 } 1562 1563 resource "aws_emr_cluster" "tf-test-cluster" { 1564 name = "emr-test-%d" 1565 release_label = "emr-4.6.0" 1566 applications = ["Spark"] 1567 1568 ec2_attributes { 1569 subnet_id = "${aws_subnet.main.id}" 1570 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1571 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1572 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1573 } 1574 1575 master_instance_type = "m3.xlarge" 1576 core_instance_type = "m3.xlarge" 1577 core_instance_count = 1 1578 1579 tags { 1580 role = "rolename" 1581 dns_zone = "env_zone" 1582 env = "env" 1583 name = "name-env" 1584 } 1585 1586 keep_job_flow_alive_when_no_steps = true 1587 visible_to_all_users = false 1588 1589 bootstrap_action { 1590 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1591 name = "runif" 1592 args = ["instance.isMaster=true", "echo running on master node"] 1593 } 1594 1595 configurations = "test-fixtures/emr_configurations.json" 1596 1597 depends_on = ["aws_main_route_table_association.a"] 1598 1599 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1600 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1601 } 1602 1603 resource "aws_security_group" "allow_all" { 1604 name = "allow_all_%d" 1605 description = "Allow all inbound traffic" 1606 vpc_id = "${aws_vpc.main.id}" 1607 1608 ingress { 1609 from_port = 0 1610 to_port = 0 1611 protocol = "-1" 1612 cidr_blocks = ["0.0.0.0/0"] 1613 } 1614 1615 egress { 1616 from_port = 0 1617 to_port = 0 1618 protocol = "-1" 1619 cidr_blocks = ["0.0.0.0/0"] 1620 } 1621 1622 depends_on = ["aws_subnet.main"] 1623 1624 lifecycle { 1625 ignore_changes = ["ingress", "egress"] 1626 } 1627 1628 tags { 1629 name = "emr_test" 1630 } 1631 } 1632 1633 resource "aws_vpc" "main" { 1634 cidr_block = "168.31.0.0/16" 1635 enable_dns_hostnames = true 1636 1637 tags { 1638 name = "emr_test_%d" 1639 } 1640 } 1641 1642 resource "aws_subnet" "main" { 1643 vpc_id = "${aws_vpc.main.id}" 1644 cidr_block = "168.31.0.0/20" 1645 1646 tags { 1647 name = "emr_test_%d" 1648 } 1649 } 1650 1651 resource "aws_internet_gateway" "gw" { 1652 vpc_id = "${aws_vpc.main.id}" 1653 } 1654 1655 resource "aws_route_table" "r" { 1656 vpc_id = "${aws_vpc.main.id}" 1657 1658 route { 1659 cidr_block = "0.0.0.0/0" 1660 gateway_id = "${aws_internet_gateway.gw.id}" 1661 } 1662 } 1663 1664 resource "aws_main_route_table_association" "a" { 1665 vpc_id = "${aws_vpc.main.id}" 1666 route_table_id = "${aws_route_table.r.id}" 1667 } 1668 1669 ### 1670 1671 # IAM things 1672 1673 ### 1674 1675 # IAM role for EMR Service 1676 resource "aws_iam_role" "iam_emr_default_role" { 1677 name = "iam_emr_default_role_%d" 1678 1679 assume_role_policy = <<EOT 1680 { 1681 "Version": "2008-10-17", 1682 "Statement": [ 1683 { 1684 "Sid": "", 1685 "Effect": "Allow", 1686 "Principal": { 1687 "Service": "elasticmapreduce.amazonaws.com" 1688 }, 1689 "Action": "sts:AssumeRole" 1690 } 1691 ] 1692 } 1693 EOT 1694 } 1695 1696 resource "aws_iam_role_policy_attachment" "service-attach" { 1697 role = "${aws_iam_role.iam_emr_default_role.id}" 1698 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1699 } 1700 1701 resource "aws_iam_policy" "iam_emr_default_policy" { 1702 name = "iam_emr_default_policy_%d" 1703 1704 policy = <<EOT 1705 { 1706 "Version": "2012-10-17", 1707 "Statement": [{ 1708 "Effect": "Allow", 1709 "Resource": "*", 1710 "Action": [ 1711 "ec2:AuthorizeSecurityGroupEgress", 1712 "ec2:AuthorizeSecurityGroupIngress", 1713 "ec2:CancelSpotInstanceRequests", 1714 "ec2:CreateNetworkInterface", 1715 "ec2:CreateSecurityGroup", 1716 "ec2:CreateTags", 1717 "ec2:DeleteNetworkInterface", 1718 "ec2:DeleteSecurityGroup", 1719 "ec2:DeleteTags", 1720 "ec2:DescribeAvailabilityZones", 1721 "ec2:DescribeAccountAttributes", 1722 "ec2:DescribeDhcpOptions", 1723 "ec2:DescribeInstanceStatus", 1724 "ec2:DescribeInstances", 1725 "ec2:DescribeKeyPairs", 1726 "ec2:DescribeNetworkAcls", 1727 "ec2:DescribeNetworkInterfaces", 1728 "ec2:DescribePrefixLists", 1729 "ec2:DescribeRouteTables", 1730 "ec2:DescribeSecurityGroups", 1731 "ec2:DescribeSpotInstanceRequests", 1732 "ec2:DescribeSpotPriceHistory", 1733 "ec2:DescribeSubnets", 1734 "ec2:DescribeVpcAttribute", 1735 "ec2:DescribeVpcEndpoints", 1736 "ec2:DescribeVpcEndpointServices", 1737 "ec2:DescribeVpcs", 1738 "ec2:DetachNetworkInterface", 1739 "ec2:ModifyImageAttribute", 1740 "ec2:ModifyInstanceAttribute", 1741 "ec2:RequestSpotInstances", 1742 "ec2:RevokeSecurityGroupEgress", 1743 "ec2:RunInstances", 1744 "ec2:TerminateInstances", 1745 "ec2:DeleteVolume", 1746 "ec2:DescribeVolumeStatus", 1747 "ec2:DescribeVolumes", 1748 "ec2:DetachVolume", 1749 "iam:GetRole", 1750 "iam:GetRolePolicy", 1751 "iam:ListInstanceProfiles", 1752 "iam:ListRolePolicies", 1753 "iam:PassRole", 1754 "s3:CreateBucket", 1755 "s3:Get*", 1756 "s3:List*", 1757 "sdb:BatchPutAttributes", 1758 "sdb:Select", 1759 "sqs:CreateQueue", 1760 "sqs:Delete*", 1761 "sqs:GetQueue*", 1762 "sqs:PurgeQueue", 1763 "sqs:ReceiveMessage" 1764 ] 1765 }] 1766 } 1767 EOT 1768 } 1769 1770 # IAM Role for EC2 Instance Profile 1771 resource "aws_iam_role" "iam_emr_profile_role" { 1772 name = "iam_emr_profile_role_%d" 1773 1774 assume_role_policy = <<EOT 1775 { 1776 "Version": "2008-10-17", 1777 "Statement": [ 1778 { 1779 "Sid": "", 1780 "Effect": "Allow", 1781 "Principal": { 1782 "Service": "ec2.amazonaws.com" 1783 }, 1784 "Action": "sts:AssumeRole" 1785 } 1786 ] 1787 } 1788 EOT 1789 } 1790 1791 resource "aws_iam_instance_profile" "emr_profile" { 1792 name = "emr_profile_%d" 1793 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1794 } 1795 1796 resource "aws_iam_role_policy_attachment" "profile-attach" { 1797 role = "${aws_iam_role.iam_emr_profile_role.id}" 1798 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1799 } 1800 1801 resource "aws_iam_policy" "iam_emr_profile_policy" { 1802 name = "iam_emr_profile_policy_%d" 1803 1804 policy = <<EOT 1805 { 1806 "Version": "2012-10-17", 1807 "Statement": [{ 1808 "Effect": "Allow", 1809 "Resource": "*", 1810 "Action": [ 1811 "cloudwatch:*", 1812 "dynamodb:*", 1813 "ec2:Describe*", 1814 "elasticmapreduce:Describe*", 1815 "elasticmapreduce:ListBootstrapActions", 1816 "elasticmapreduce:ListClusters", 1817 "elasticmapreduce:ListInstanceGroups", 1818 "elasticmapreduce:ListInstances", 1819 "elasticmapreduce:ListSteps", 1820 "kinesis:CreateStream", 1821 "kinesis:DeleteStream", 1822 "kinesis:DescribeStream", 1823 "kinesis:GetRecords", 1824 "kinesis:GetShardIterator", 1825 "kinesis:MergeShards", 1826 "kinesis:PutRecord", 1827 "kinesis:SplitShard", 1828 "rds:Describe*", 1829 "s3:*", 1830 "sdb:*", 1831 "sns:*", 1832 "sqs:*" 1833 ] 1834 }] 1835 } 1836 EOT 1837 } 1838 1839 # IAM Role for autoscaling 1840 resource "aws_iam_role" "emr-autoscaling-role" { 1841 name = "EMR_AutoScaling_DefaultRole_%d" 1842 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 1843 } 1844 1845 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 1846 statement { 1847 effect = "Allow" 1848 actions = ["sts:AssumeRole"] 1849 1850 principals = { 1851 type = "Service" 1852 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 1853 } 1854 } 1855 } 1856 1857 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 1858 role = "${aws_iam_role.emr-autoscaling-role.name}" 1859 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 1860 } 1861 `, r, r, r, r, r, r, r, r, r, r) 1862 } 1863 1864 func testAccAWSEmrClusterConfigUpdatedTags(r int) string { 1865 return fmt.Sprintf(` 1866 provider "aws" { 1867 region = "us-west-2" 1868 } 1869 1870 resource "aws_emr_cluster" "tf-test-cluster" { 1871 name = "emr-test-%d" 1872 release_label = "emr-4.6.0" 1873 applications = ["Spark"] 1874 1875 ec2_attributes { 1876 subnet_id = "${aws_subnet.main.id}" 1877 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1878 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1879 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1880 } 1881 1882 master_instance_type = "m3.xlarge" 1883 core_instance_type = "m3.xlarge" 1884 core_instance_count = 1 1885 1886 tags { 1887 dns_zone = "new_zone" 1888 Env = "production" 1889 name = "name-env" 1890 } 1891 1892 keep_job_flow_alive_when_no_steps = true 1893 termination_protection = false 1894 1895 bootstrap_action { 1896 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1897 name = "runif" 1898 args = ["instance.isMaster=true", "echo running on master node"] 1899 } 1900 1901 configurations = "test-fixtures/emr_configurations.json" 1902 1903 depends_on = ["aws_main_route_table_association.a"] 1904 1905 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1906 autoscaling_role = "${aws_iam_role.emr-autoscaling-role.arn}" 1907 } 1908 1909 resource "aws_security_group" "allow_all" { 1910 name = "allow_all_%d" 1911 description = "Allow all inbound traffic" 1912 vpc_id = "${aws_vpc.main.id}" 1913 1914 ingress { 1915 from_port = 0 1916 to_port = 0 1917 protocol = "-1" 1918 cidr_blocks = ["0.0.0.0/0"] 1919 } 1920 1921 egress { 1922 from_port = 0 1923 to_port = 0 1924 protocol = "-1" 1925 cidr_blocks = ["0.0.0.0/0"] 1926 } 1927 1928 depends_on = ["aws_subnet.main"] 1929 1930 lifecycle { 1931 ignore_changes = ["ingress", "egress"] 1932 } 1933 1934 tags { 1935 name = "emr_test" 1936 } 1937 } 1938 1939 resource "aws_vpc" "main" { 1940 cidr_block = "168.31.0.0/16" 1941 enable_dns_hostnames = true 1942 1943 tags { 1944 name = "emr_test_%d" 1945 } 1946 } 1947 1948 resource "aws_subnet" "main" { 1949 vpc_id = "${aws_vpc.main.id}" 1950 cidr_block = "168.31.0.0/20" 1951 1952 tags { 1953 name = "emr_test_%d" 1954 } 1955 } 1956 1957 resource "aws_internet_gateway" "gw" { 1958 vpc_id = "${aws_vpc.main.id}" 1959 } 1960 1961 resource "aws_route_table" "r" { 1962 vpc_id = "${aws_vpc.main.id}" 1963 1964 route { 1965 cidr_block = "0.0.0.0/0" 1966 gateway_id = "${aws_internet_gateway.gw.id}" 1967 } 1968 } 1969 1970 resource "aws_main_route_table_association" "a" { 1971 vpc_id = "${aws_vpc.main.id}" 1972 route_table_id = "${aws_route_table.r.id}" 1973 } 1974 1975 ### 1976 1977 # IAM things 1978 1979 ### 1980 1981 # IAM role for EMR Service 1982 resource "aws_iam_role" "iam_emr_default_role" { 1983 name = "iam_emr_default_role_%d" 1984 1985 assume_role_policy = <<EOT 1986 { 1987 "Version": "2008-10-17", 1988 "Statement": [ 1989 { 1990 "Sid": "", 1991 "Effect": "Allow", 1992 "Principal": { 1993 "Service": "elasticmapreduce.amazonaws.com" 1994 }, 1995 "Action": "sts:AssumeRole" 1996 } 1997 ] 1998 } 1999 EOT 2000 } 2001 2002 resource "aws_iam_role_policy_attachment" "service-attach" { 2003 role = "${aws_iam_role.iam_emr_default_role.id}" 2004 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 2005 } 2006 2007 resource "aws_iam_policy" "iam_emr_default_policy" { 2008 name = "iam_emr_default_policy_%d" 2009 2010 policy = <<EOT 2011 { 2012 "Version": "2012-10-17", 2013 "Statement": [{ 2014 "Effect": "Allow", 2015 "Resource": "*", 2016 "Action": [ 2017 "ec2:AuthorizeSecurityGroupEgress", 2018 "ec2:AuthorizeSecurityGroupIngress", 2019 "ec2:CancelSpotInstanceRequests", 2020 "ec2:CreateNetworkInterface", 2021 "ec2:CreateSecurityGroup", 2022 "ec2:CreateTags", 2023 "ec2:DeleteNetworkInterface", 2024 "ec2:DeleteSecurityGroup", 2025 "ec2:DeleteTags", 2026 "ec2:DescribeAvailabilityZones", 2027 "ec2:DescribeAccountAttributes", 2028 "ec2:DescribeDhcpOptions", 2029 "ec2:DescribeInstanceStatus", 2030 "ec2:DescribeInstances", 2031 "ec2:DescribeKeyPairs", 2032 "ec2:DescribeNetworkAcls", 2033 "ec2:DescribeNetworkInterfaces", 2034 "ec2:DescribePrefixLists", 2035 "ec2:DescribeRouteTables", 2036 "ec2:DescribeSecurityGroups", 2037 "ec2:DescribeSpotInstanceRequests", 2038 "ec2:DescribeSpotPriceHistory", 2039 "ec2:DescribeSubnets", 2040 "ec2:DescribeVpcAttribute", 2041 "ec2:DescribeVpcEndpoints", 2042 "ec2:DescribeVpcEndpointServices", 2043 "ec2:DescribeVpcs", 2044 "ec2:DetachNetworkInterface", 2045 "ec2:ModifyImageAttribute", 2046 "ec2:ModifyInstanceAttribute", 2047 "ec2:RequestSpotInstances", 2048 "ec2:RevokeSecurityGroupEgress", 2049 "ec2:RunInstances", 2050 "ec2:TerminateInstances", 2051 "ec2:DeleteVolume", 2052 "ec2:DescribeVolumeStatus", 2053 "ec2:DescribeVolumes", 2054 "ec2:DetachVolume", 2055 "iam:GetRole", 2056 "iam:GetRolePolicy", 2057 "iam:ListInstanceProfiles", 2058 "iam:ListRolePolicies", 2059 "iam:PassRole", 2060 "s3:CreateBucket", 2061 "s3:Get*", 2062 "s3:List*", 2063 "sdb:BatchPutAttributes", 2064 "sdb:Select", 2065 "sqs:CreateQueue", 2066 "sqs:Delete*", 2067 "sqs:GetQueue*", 2068 "sqs:PurgeQueue", 2069 "sqs:ReceiveMessage" 2070 ] 2071 }] 2072 } 2073 EOT 2074 } 2075 2076 # IAM Role for EC2 Instance Profile 2077 resource "aws_iam_role" "iam_emr_profile_role" { 2078 name = "iam_emr_profile_role_%d" 2079 2080 assume_role_policy = <<EOT 2081 { 2082 "Version": "2008-10-17", 2083 "Statement": [ 2084 { 2085 "Sid": "", 2086 "Effect": "Allow", 2087 "Principal": { 2088 "Service": "ec2.amazonaws.com" 2089 }, 2090 "Action": "sts:AssumeRole" 2091 } 2092 ] 2093 } 2094 EOT 2095 } 2096 2097 resource "aws_iam_instance_profile" "emr_profile" { 2098 name = "emr_profile_%d" 2099 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 2100 } 2101 2102 resource "aws_iam_role_policy_attachment" "profile-attach" { 2103 role = "${aws_iam_role.iam_emr_profile_role.id}" 2104 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 2105 } 2106 2107 resource "aws_iam_policy" "iam_emr_profile_policy" { 2108 name = "iam_emr_profile_policy_%d" 2109 2110 policy = <<EOT 2111 { 2112 "Version": "2012-10-17", 2113 "Statement": [{ 2114 "Effect": "Allow", 2115 "Resource": "*", 2116 "Action": [ 2117 "cloudwatch:*", 2118 "dynamodb:*", 2119 "ec2:Describe*", 2120 "elasticmapreduce:Describe*", 2121 "elasticmapreduce:ListBootstrapActions", 2122 "elasticmapreduce:ListClusters", 2123 "elasticmapreduce:ListInstanceGroups", 2124 "elasticmapreduce:ListInstances", 2125 "elasticmapreduce:ListSteps", 2126 "kinesis:CreateStream", 2127 "kinesis:DeleteStream", 2128 "kinesis:DescribeStream", 2129 "kinesis:GetRecords", 2130 "kinesis:GetShardIterator", 2131 "kinesis:MergeShards", 2132 "kinesis:PutRecord", 2133 "kinesis:SplitShard", 2134 "rds:Describe*", 2135 "s3:*", 2136 "sdb:*", 2137 "sns:*", 2138 "sqs:*" 2139 ] 2140 }] 2141 } 2142 EOT 2143 } 2144 2145 # IAM Role for autoscaling 2146 resource "aws_iam_role" "emr-autoscaling-role" { 2147 name = "EMR_AutoScaling_DefaultRole_%d" 2148 assume_role_policy = "${data.aws_iam_policy_document.emr-autoscaling-role-policy.json}" 2149 } 2150 2151 data "aws_iam_policy_document" "emr-autoscaling-role-policy" { 2152 statement { 2153 effect = "Allow" 2154 actions = ["sts:AssumeRole"] 2155 2156 principals = { 2157 type = "Service" 2158 identifiers = ["elasticmapreduce.amazonaws.com","application-autoscaling.amazonaws.com"] 2159 } 2160 } 2161 } 2162 2163 resource "aws_iam_role_policy_attachment" "emr-autoscaling-role" { 2164 role = "${aws_iam_role.emr-autoscaling-role.name}" 2165 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" 2166 } 2167 `, r, r, r, r, r, r, r, r, r, r) 2168 }