github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/builtin/providers/aws/resource_aws_emr_cluster_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "log" 6 "testing" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/aws/awserr" 10 "github.com/aws/aws-sdk-go/service/emr" 11 "github.com/hashicorp/terraform/helper/acctest" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSEMRCluster_basic(t *testing.T) { 17 var jobFlow emr.RunJobFlowOutput 18 r := acctest.RandInt() 19 resource.Test(t, resource.TestCase{ 20 PreCheck: func() { testAccPreCheck(t) }, 21 Providers: testAccProviders, 22 CheckDestroy: testAccCheckAWSEmrDestroy, 23 Steps: []resource.TestStep{ 24 { 25 Config: testAccAWSEmrClusterConfig(r), 26 Check: testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 27 }, 28 }, 29 }) 30 } 31 32 func TestAccAWSEMRCluster_terminationProtected(t *testing.T) { 33 var jobFlow emr.RunJobFlowOutput 34 r := acctest.RandInt() 35 resource.Test(t, resource.TestCase{ 36 PreCheck: func() { testAccPreCheck(t) }, 37 Providers: testAccProviders, 38 CheckDestroy: testAccCheckAWSEmrDestroy, 39 Steps: []resource.TestStep{ 40 { 41 Config: testAccAWSEmrClusterConfig(r), 42 Check: resource.ComposeTestCheckFunc( 43 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 44 resource.TestCheckResourceAttr( 45 "aws_emr_cluster.tf-test-cluster", "termination_protection", "false"), 46 ), 47 }, 48 { 49 Config: testAccAWSEmrClusterConfigTerminationPolicyUpdated(r), 50 Check: resource.ComposeTestCheckFunc( 51 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 52 resource.TestCheckResourceAttr( 53 "aws_emr_cluster.tf-test-cluster", "termination_protection", "true"), 54 ), 55 }, 56 { 57 //Need to turn off termination_protection to allow the job to be deleted 58 Config: testAccAWSEmrClusterConfig(r), 59 Check: resource.ComposeTestCheckFunc( 60 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 61 ), 62 }, 63 }, 64 }) 65 } 66 67 func TestAccAWSEMRCluster_visibleToAllUsers(t *testing.T) { 68 var jobFlow emr.RunJobFlowOutput 69 r := acctest.RandInt() 70 resource.Test(t, resource.TestCase{ 71 PreCheck: func() { testAccPreCheck(t) }, 72 Providers: testAccProviders, 73 CheckDestroy: testAccCheckAWSEmrDestroy, 74 Steps: []resource.TestStep{ 75 { 76 Config: testAccAWSEmrClusterConfig(r), 77 Check: resource.ComposeTestCheckFunc( 78 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 79 resource.TestCheckResourceAttr( 80 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "true"), 81 ), 82 }, 83 { 84 Config: testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r), 85 Check: resource.ComposeTestCheckFunc( 86 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 87 resource.TestCheckResourceAttr( 88 "aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "false"), 89 ), 90 }, 91 }, 92 }) 93 } 94 95 func TestAccAWSEMRCluster_tags(t *testing.T) { 96 var jobFlow emr.RunJobFlowOutput 97 r := acctest.RandInt() 98 resource.Test(t, resource.TestCase{ 99 PreCheck: func() { testAccPreCheck(t) }, 100 Providers: testAccProviders, 101 CheckDestroy: testAccCheckAWSEmrDestroy, 102 Steps: []resource.TestStep{ 103 { 104 Config: testAccAWSEmrClusterConfig(r), 105 Check: resource.ComposeTestCheckFunc( 106 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 107 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "4"), 108 resource.TestCheckResourceAttr( 109 "aws_emr_cluster.tf-test-cluster", "tags.role", "rolename"), 110 resource.TestCheckResourceAttr( 111 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "env_zone"), 112 resource.TestCheckResourceAttr( 113 "aws_emr_cluster.tf-test-cluster", "tags.env", "env"), 114 resource.TestCheckResourceAttr( 115 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env")), 116 }, 117 { 118 Config: testAccAWSEmrClusterConfigUpdatedTags(r), 119 Check: resource.ComposeTestCheckFunc( 120 testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow), 121 resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "3"), 122 resource.TestCheckResourceAttr( 123 "aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "new_zone"), 124 resource.TestCheckResourceAttr( 125 "aws_emr_cluster.tf-test-cluster", "tags.Env", "production"), 126 resource.TestCheckResourceAttr( 127 "aws_emr_cluster.tf-test-cluster", "tags.name", "name-env"), 128 ), 129 }, 130 }, 131 }) 132 } 133 134 func testAccCheckAWSEmrDestroy(s *terraform.State) error { 135 conn := testAccProvider.Meta().(*AWSClient).emrconn 136 137 for _, rs := range s.RootModule().Resources { 138 if rs.Type != "aws_emr_cluster" { 139 continue 140 } 141 142 params := &emr.DescribeClusterInput{ 143 ClusterId: aws.String(rs.Primary.ID), 144 } 145 146 describe, err := conn.DescribeCluster(params) 147 148 if err == nil { 149 if describe.Cluster != nil && 150 *describe.Cluster.Status.State == "WAITING" { 151 return fmt.Errorf("EMR Cluster still exists") 152 } 153 } 154 155 providerErr, ok := err.(awserr.Error) 156 if !ok { 157 return err 158 } 159 160 log.Printf("[ERROR] %v", providerErr) 161 } 162 163 return nil 164 } 165 166 func testAccCheckAWSEmrClusterExists(n string, v *emr.RunJobFlowOutput) resource.TestCheckFunc { 167 return func(s *terraform.State) error { 168 rs, ok := s.RootModule().Resources[n] 169 if !ok { 170 return fmt.Errorf("Not found: %s", n) 171 } 172 if rs.Primary.ID == "" { 173 return fmt.Errorf("No cluster id set") 174 } 175 conn := testAccProvider.Meta().(*AWSClient).emrconn 176 describe, err := conn.DescribeCluster(&emr.DescribeClusterInput{ 177 ClusterId: aws.String(rs.Primary.ID), 178 }) 179 if err != nil { 180 return fmt.Errorf("EMR error: %v", err) 181 } 182 183 if describe.Cluster != nil && 184 *describe.Cluster.Id != rs.Primary.ID { 185 return fmt.Errorf("EMR cluser not found") 186 } 187 188 if describe.Cluster != nil && 189 *describe.Cluster.Status.State != "WAITING" { 190 return fmt.Errorf("EMR cluser is not up yet") 191 } 192 193 return nil 194 } 195 } 196 197 func testAccAWSEmrClusterConfig(r int) string { 198 return fmt.Sprintf(` 199 provider "aws" { 200 region = "us-west-2" 201 } 202 203 resource "aws_emr_cluster" "tf-test-cluster" { 204 name = "emr-test-%d" 205 release_label = "emr-4.6.0" 206 applications = ["Spark"] 207 208 ec2_attributes { 209 subnet_id = "${aws_subnet.main.id}" 210 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 211 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 212 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 213 } 214 215 master_instance_type = "m3.xlarge" 216 core_instance_type = "m3.xlarge" 217 core_instance_count = 1 218 219 tags { 220 role = "rolename" 221 dns_zone = "env_zone" 222 env = "env" 223 name = "name-env" 224 } 225 226 keep_job_flow_alive_when_no_steps = true 227 termination_protection = false 228 229 bootstrap_action { 230 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 231 name = "runif" 232 args = ["instance.isMaster=true", "echo running on master node"] 233 } 234 235 configurations = "test-fixtures/emr_configurations.json" 236 237 depends_on = ["aws_main_route_table_association.a"] 238 239 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 240 } 241 242 resource "aws_security_group" "allow_all" { 243 name = "allow_all" 244 description = "Allow all inbound traffic" 245 vpc_id = "${aws_vpc.main.id}" 246 247 ingress { 248 from_port = 0 249 to_port = 0 250 protocol = "-1" 251 cidr_blocks = ["0.0.0.0/0"] 252 } 253 254 egress { 255 from_port = 0 256 to_port = 0 257 protocol = "-1" 258 cidr_blocks = ["0.0.0.0/0"] 259 } 260 261 depends_on = ["aws_subnet.main"] 262 263 lifecycle { 264 ignore_changes = ["ingress", "egress"] 265 } 266 267 tags { 268 name = "emr_test" 269 } 270 } 271 272 resource "aws_vpc" "main" { 273 cidr_block = "168.31.0.0/16" 274 enable_dns_hostnames = true 275 276 tags { 277 name = "emr_test" 278 } 279 } 280 281 resource "aws_subnet" "main" { 282 vpc_id = "${aws_vpc.main.id}" 283 cidr_block = "168.31.0.0/20" 284 285 tags { 286 name = "emr_test" 287 } 288 } 289 290 resource "aws_internet_gateway" "gw" { 291 vpc_id = "${aws_vpc.main.id}" 292 } 293 294 resource "aws_route_table" "r" { 295 vpc_id = "${aws_vpc.main.id}" 296 297 route { 298 cidr_block = "0.0.0.0/0" 299 gateway_id = "${aws_internet_gateway.gw.id}" 300 } 301 } 302 303 resource "aws_main_route_table_association" "a" { 304 vpc_id = "${aws_vpc.main.id}" 305 route_table_id = "${aws_route_table.r.id}" 306 } 307 308 ### 309 310 # IAM things 311 312 ### 313 314 # IAM role for EMR Service 315 resource "aws_iam_role" "iam_emr_default_role" { 316 name = "iam_emr_default_role_%d" 317 318 assume_role_policy = <<EOT 319 { 320 "Version": "2008-10-17", 321 "Statement": [ 322 { 323 "Sid": "", 324 "Effect": "Allow", 325 "Principal": { 326 "Service": "elasticmapreduce.amazonaws.com" 327 }, 328 "Action": "sts:AssumeRole" 329 } 330 ] 331 } 332 EOT 333 } 334 335 resource "aws_iam_role_policy_attachment" "service-attach" { 336 role = "${aws_iam_role.iam_emr_default_role.id}" 337 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 338 } 339 340 resource "aws_iam_policy" "iam_emr_default_policy" { 341 name = "iam_emr_default_policy_%d" 342 343 policy = <<EOT 344 { 345 "Version": "2012-10-17", 346 "Statement": [{ 347 "Effect": "Allow", 348 "Resource": "*", 349 "Action": [ 350 "ec2:AuthorizeSecurityGroupEgress", 351 "ec2:AuthorizeSecurityGroupIngress", 352 "ec2:CancelSpotInstanceRequests", 353 "ec2:CreateNetworkInterface", 354 "ec2:CreateSecurityGroup", 355 "ec2:CreateTags", 356 "ec2:DeleteNetworkInterface", 357 "ec2:DeleteSecurityGroup", 358 "ec2:DeleteTags", 359 "ec2:DescribeAvailabilityZones", 360 "ec2:DescribeAccountAttributes", 361 "ec2:DescribeDhcpOptions", 362 "ec2:DescribeInstanceStatus", 363 "ec2:DescribeInstances", 364 "ec2:DescribeKeyPairs", 365 "ec2:DescribeNetworkAcls", 366 "ec2:DescribeNetworkInterfaces", 367 "ec2:DescribePrefixLists", 368 "ec2:DescribeRouteTables", 369 "ec2:DescribeSecurityGroups", 370 "ec2:DescribeSpotInstanceRequests", 371 "ec2:DescribeSpotPriceHistory", 372 "ec2:DescribeSubnets", 373 "ec2:DescribeVpcAttribute", 374 "ec2:DescribeVpcEndpoints", 375 "ec2:DescribeVpcEndpointServices", 376 "ec2:DescribeVpcs", 377 "ec2:DetachNetworkInterface", 378 "ec2:ModifyImageAttribute", 379 "ec2:ModifyInstanceAttribute", 380 "ec2:RequestSpotInstances", 381 "ec2:RevokeSecurityGroupEgress", 382 "ec2:RunInstances", 383 "ec2:TerminateInstances", 384 "ec2:DeleteVolume", 385 "ec2:DescribeVolumeStatus", 386 "ec2:DescribeVolumes", 387 "ec2:DetachVolume", 388 "iam:GetRole", 389 "iam:GetRolePolicy", 390 "iam:ListInstanceProfiles", 391 "iam:ListRolePolicies", 392 "iam:PassRole", 393 "s3:CreateBucket", 394 "s3:Get*", 395 "s3:List*", 396 "sdb:BatchPutAttributes", 397 "sdb:Select", 398 "sqs:CreateQueue", 399 "sqs:Delete*", 400 "sqs:GetQueue*", 401 "sqs:PurgeQueue", 402 "sqs:ReceiveMessage" 403 ] 404 }] 405 } 406 EOT 407 } 408 409 # IAM Role for EC2 Instance Profile 410 resource "aws_iam_role" "iam_emr_profile_role" { 411 name = "iam_emr_profile_role_%d" 412 413 assume_role_policy = <<EOT 414 { 415 "Version": "2008-10-17", 416 "Statement": [ 417 { 418 "Sid": "", 419 "Effect": "Allow", 420 "Principal": { 421 "Service": "ec2.amazonaws.com" 422 }, 423 "Action": "sts:AssumeRole" 424 } 425 ] 426 } 427 EOT 428 } 429 430 resource "aws_iam_instance_profile" "emr_profile" { 431 name = "emr_profile_%d" 432 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 433 } 434 435 resource "aws_iam_role_policy_attachment" "profile-attach" { 436 role = "${aws_iam_role.iam_emr_profile_role.id}" 437 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 438 } 439 440 resource "aws_iam_policy" "iam_emr_profile_policy" { 441 name = "iam_emr_profile_policy_%d" 442 443 policy = <<EOT 444 { 445 "Version": "2012-10-17", 446 "Statement": [{ 447 "Effect": "Allow", 448 "Resource": "*", 449 "Action": [ 450 "cloudwatch:*", 451 "dynamodb:*", 452 "ec2:Describe*", 453 "elasticmapreduce:Describe*", 454 "elasticmapreduce:ListBootstrapActions", 455 "elasticmapreduce:ListClusters", 456 "elasticmapreduce:ListInstanceGroups", 457 "elasticmapreduce:ListInstances", 458 "elasticmapreduce:ListSteps", 459 "kinesis:CreateStream", 460 "kinesis:DeleteStream", 461 "kinesis:DescribeStream", 462 "kinesis:GetRecords", 463 "kinesis:GetShardIterator", 464 "kinesis:MergeShards", 465 "kinesis:PutRecord", 466 "kinesis:SplitShard", 467 "rds:Describe*", 468 "s3:*", 469 "sdb:*", 470 "sns:*", 471 "sqs:*" 472 ] 473 }] 474 } 475 EOT 476 } 477 `, r, r, r, r, r, r) 478 } 479 480 func testAccAWSEmrClusterConfigTerminationPolicyUpdated(r int) string { 481 return fmt.Sprintf(` 482 provider "aws" { 483 region = "us-west-2" 484 } 485 486 resource "aws_emr_cluster" "tf-test-cluster" { 487 name = "emr-test-%d" 488 release_label = "emr-4.6.0" 489 applications = ["Spark"] 490 491 ec2_attributes { 492 subnet_id = "${aws_subnet.main.id}" 493 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 494 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 495 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 496 } 497 498 master_instance_type = "m3.xlarge" 499 core_instance_type = "m3.xlarge" 500 core_instance_count = 1 501 502 tags { 503 role = "rolename" 504 dns_zone = "env_zone" 505 env = "env" 506 name = "name-env" 507 } 508 509 keep_job_flow_alive_when_no_steps = true 510 termination_protection = true 511 512 bootstrap_action { 513 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 514 name = "runif" 515 args = ["instance.isMaster=true", "echo running on master node"] 516 } 517 518 configurations = "test-fixtures/emr_configurations.json" 519 520 depends_on = ["aws_main_route_table_association.a"] 521 522 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 523 } 524 525 resource "aws_security_group" "allow_all" { 526 name = "allow_all" 527 description = "Allow all inbound traffic" 528 vpc_id = "${aws_vpc.main.id}" 529 530 ingress { 531 from_port = 0 532 to_port = 0 533 protocol = "-1" 534 cidr_blocks = ["0.0.0.0/0"] 535 } 536 537 egress { 538 from_port = 0 539 to_port = 0 540 protocol = "-1" 541 cidr_blocks = ["0.0.0.0/0"] 542 } 543 544 depends_on = ["aws_subnet.main"] 545 546 lifecycle { 547 ignore_changes = ["ingress", "egress"] 548 } 549 550 tags { 551 name = "emr_test" 552 } 553 } 554 555 resource "aws_vpc" "main" { 556 cidr_block = "168.31.0.0/16" 557 enable_dns_hostnames = true 558 559 tags { 560 name = "emr_test" 561 } 562 } 563 564 resource "aws_subnet" "main" { 565 vpc_id = "${aws_vpc.main.id}" 566 cidr_block = "168.31.0.0/20" 567 568 tags { 569 name = "emr_test" 570 } 571 } 572 573 resource "aws_internet_gateway" "gw" { 574 vpc_id = "${aws_vpc.main.id}" 575 } 576 577 resource "aws_route_table" "r" { 578 vpc_id = "${aws_vpc.main.id}" 579 580 route { 581 cidr_block = "0.0.0.0/0" 582 gateway_id = "${aws_internet_gateway.gw.id}" 583 } 584 } 585 586 resource "aws_main_route_table_association" "a" { 587 vpc_id = "${aws_vpc.main.id}" 588 route_table_id = "${aws_route_table.r.id}" 589 } 590 591 ### 592 593 # IAM things 594 595 ### 596 597 # IAM role for EMR Service 598 resource "aws_iam_role" "iam_emr_default_role" { 599 name = "iam_emr_default_role_%d" 600 601 assume_role_policy = <<EOT 602 { 603 "Version": "2008-10-17", 604 "Statement": [ 605 { 606 "Sid": "", 607 "Effect": "Allow", 608 "Principal": { 609 "Service": "elasticmapreduce.amazonaws.com" 610 }, 611 "Action": "sts:AssumeRole" 612 } 613 ] 614 } 615 EOT 616 } 617 618 resource "aws_iam_role_policy_attachment" "service-attach" { 619 role = "${aws_iam_role.iam_emr_default_role.id}" 620 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 621 } 622 623 resource "aws_iam_policy" "iam_emr_default_policy" { 624 name = "iam_emr_default_policy_%d" 625 626 policy = <<EOT 627 { 628 "Version": "2012-10-17", 629 "Statement": [{ 630 "Effect": "Allow", 631 "Resource": "*", 632 "Action": [ 633 "ec2:AuthorizeSecurityGroupEgress", 634 "ec2:AuthorizeSecurityGroupIngress", 635 "ec2:CancelSpotInstanceRequests", 636 "ec2:CreateNetworkInterface", 637 "ec2:CreateSecurityGroup", 638 "ec2:CreateTags", 639 "ec2:DeleteNetworkInterface", 640 "ec2:DeleteSecurityGroup", 641 "ec2:DeleteTags", 642 "ec2:DescribeAvailabilityZones", 643 "ec2:DescribeAccountAttributes", 644 "ec2:DescribeDhcpOptions", 645 "ec2:DescribeInstanceStatus", 646 "ec2:DescribeInstances", 647 "ec2:DescribeKeyPairs", 648 "ec2:DescribeNetworkAcls", 649 "ec2:DescribeNetworkInterfaces", 650 "ec2:DescribePrefixLists", 651 "ec2:DescribeRouteTables", 652 "ec2:DescribeSecurityGroups", 653 "ec2:DescribeSpotInstanceRequests", 654 "ec2:DescribeSpotPriceHistory", 655 "ec2:DescribeSubnets", 656 "ec2:DescribeVpcAttribute", 657 "ec2:DescribeVpcEndpoints", 658 "ec2:DescribeVpcEndpointServices", 659 "ec2:DescribeVpcs", 660 "ec2:DetachNetworkInterface", 661 "ec2:ModifyImageAttribute", 662 "ec2:ModifyInstanceAttribute", 663 "ec2:RequestSpotInstances", 664 "ec2:RevokeSecurityGroupEgress", 665 "ec2:RunInstances", 666 "ec2:TerminateInstances", 667 "ec2:DeleteVolume", 668 "ec2:DescribeVolumeStatus", 669 "ec2:DescribeVolumes", 670 "ec2:DetachVolume", 671 "iam:GetRole", 672 "iam:GetRolePolicy", 673 "iam:ListInstanceProfiles", 674 "iam:ListRolePolicies", 675 "iam:PassRole", 676 "s3:CreateBucket", 677 "s3:Get*", 678 "s3:List*", 679 "sdb:BatchPutAttributes", 680 "sdb:Select", 681 "sqs:CreateQueue", 682 "sqs:Delete*", 683 "sqs:GetQueue*", 684 "sqs:PurgeQueue", 685 "sqs:ReceiveMessage" 686 ] 687 }] 688 } 689 EOT 690 } 691 692 # IAM Role for EC2 Instance Profile 693 resource "aws_iam_role" "iam_emr_profile_role" { 694 name = "iam_emr_profile_role_%d" 695 696 assume_role_policy = <<EOT 697 { 698 "Version": "2008-10-17", 699 "Statement": [ 700 { 701 "Sid": "", 702 "Effect": "Allow", 703 "Principal": { 704 "Service": "ec2.amazonaws.com" 705 }, 706 "Action": "sts:AssumeRole" 707 } 708 ] 709 } 710 EOT 711 } 712 713 resource "aws_iam_instance_profile" "emr_profile" { 714 name = "emr_profile_%d" 715 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 716 } 717 718 resource "aws_iam_role_policy_attachment" "profile-attach" { 719 role = "${aws_iam_role.iam_emr_profile_role.id}" 720 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 721 } 722 723 resource "aws_iam_policy" "iam_emr_profile_policy" { 724 name = "iam_emr_profile_policy_%d" 725 726 policy = <<EOT 727 { 728 "Version": "2012-10-17", 729 "Statement": [{ 730 "Effect": "Allow", 731 "Resource": "*", 732 "Action": [ 733 "cloudwatch:*", 734 "dynamodb:*", 735 "ec2:Describe*", 736 "elasticmapreduce:Describe*", 737 "elasticmapreduce:ListBootstrapActions", 738 "elasticmapreduce:ListClusters", 739 "elasticmapreduce:ListInstanceGroups", 740 "elasticmapreduce:ListInstances", 741 "elasticmapreduce:ListSteps", 742 "kinesis:CreateStream", 743 "kinesis:DeleteStream", 744 "kinesis:DescribeStream", 745 "kinesis:GetRecords", 746 "kinesis:GetShardIterator", 747 "kinesis:MergeShards", 748 "kinesis:PutRecord", 749 "kinesis:SplitShard", 750 "rds:Describe*", 751 "s3:*", 752 "sdb:*", 753 "sns:*", 754 "sqs:*" 755 ] 756 }] 757 } 758 EOT 759 } 760 `, r, r, r, r, r, r) 761 } 762 763 func testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r int) string { 764 return fmt.Sprintf(` 765 provider "aws" { 766 region = "us-west-2" 767 } 768 769 resource "aws_emr_cluster" "tf-test-cluster" { 770 name = "emr-test-%d" 771 release_label = "emr-4.6.0" 772 applications = ["Spark"] 773 774 ec2_attributes { 775 subnet_id = "${aws_subnet.main.id}" 776 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 777 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 778 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 779 } 780 781 master_instance_type = "m3.xlarge" 782 core_instance_type = "m3.xlarge" 783 core_instance_count = 1 784 785 tags { 786 role = "rolename" 787 dns_zone = "env_zone" 788 env = "env" 789 name = "name-env" 790 } 791 792 keep_job_flow_alive_when_no_steps = true 793 visible_to_all_users = false 794 795 bootstrap_action { 796 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 797 name = "runif" 798 args = ["instance.isMaster=true", "echo running on master node"] 799 } 800 801 configurations = "test-fixtures/emr_configurations.json" 802 803 depends_on = ["aws_main_route_table_association.a"] 804 805 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 806 } 807 808 resource "aws_security_group" "allow_all" { 809 name = "allow_all" 810 description = "Allow all inbound traffic" 811 vpc_id = "${aws_vpc.main.id}" 812 813 ingress { 814 from_port = 0 815 to_port = 0 816 protocol = "-1" 817 cidr_blocks = ["0.0.0.0/0"] 818 } 819 820 egress { 821 from_port = 0 822 to_port = 0 823 protocol = "-1" 824 cidr_blocks = ["0.0.0.0/0"] 825 } 826 827 depends_on = ["aws_subnet.main"] 828 829 lifecycle { 830 ignore_changes = ["ingress", "egress"] 831 } 832 833 tags { 834 name = "emr_test" 835 } 836 } 837 838 resource "aws_vpc" "main" { 839 cidr_block = "168.31.0.0/16" 840 enable_dns_hostnames = true 841 842 tags { 843 name = "emr_test" 844 } 845 } 846 847 resource "aws_subnet" "main" { 848 vpc_id = "${aws_vpc.main.id}" 849 cidr_block = "168.31.0.0/20" 850 851 tags { 852 name = "emr_test" 853 } 854 } 855 856 resource "aws_internet_gateway" "gw" { 857 vpc_id = "${aws_vpc.main.id}" 858 } 859 860 resource "aws_route_table" "r" { 861 vpc_id = "${aws_vpc.main.id}" 862 863 route { 864 cidr_block = "0.0.0.0/0" 865 gateway_id = "${aws_internet_gateway.gw.id}" 866 } 867 } 868 869 resource "aws_main_route_table_association" "a" { 870 vpc_id = "${aws_vpc.main.id}" 871 route_table_id = "${aws_route_table.r.id}" 872 } 873 874 ### 875 876 # IAM things 877 878 ### 879 880 # IAM role for EMR Service 881 resource "aws_iam_role" "iam_emr_default_role" { 882 name = "iam_emr_default_role_%d" 883 884 assume_role_policy = <<EOT 885 { 886 "Version": "2008-10-17", 887 "Statement": [ 888 { 889 "Sid": "", 890 "Effect": "Allow", 891 "Principal": { 892 "Service": "elasticmapreduce.amazonaws.com" 893 }, 894 "Action": "sts:AssumeRole" 895 } 896 ] 897 } 898 EOT 899 } 900 901 resource "aws_iam_role_policy_attachment" "service-attach" { 902 role = "${aws_iam_role.iam_emr_default_role.id}" 903 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 904 } 905 906 resource "aws_iam_policy" "iam_emr_default_policy" { 907 name = "iam_emr_default_policy_%d" 908 909 policy = <<EOT 910 { 911 "Version": "2012-10-17", 912 "Statement": [{ 913 "Effect": "Allow", 914 "Resource": "*", 915 "Action": [ 916 "ec2:AuthorizeSecurityGroupEgress", 917 "ec2:AuthorizeSecurityGroupIngress", 918 "ec2:CancelSpotInstanceRequests", 919 "ec2:CreateNetworkInterface", 920 "ec2:CreateSecurityGroup", 921 "ec2:CreateTags", 922 "ec2:DeleteNetworkInterface", 923 "ec2:DeleteSecurityGroup", 924 "ec2:DeleteTags", 925 "ec2:DescribeAvailabilityZones", 926 "ec2:DescribeAccountAttributes", 927 "ec2:DescribeDhcpOptions", 928 "ec2:DescribeInstanceStatus", 929 "ec2:DescribeInstances", 930 "ec2:DescribeKeyPairs", 931 "ec2:DescribeNetworkAcls", 932 "ec2:DescribeNetworkInterfaces", 933 "ec2:DescribePrefixLists", 934 "ec2:DescribeRouteTables", 935 "ec2:DescribeSecurityGroups", 936 "ec2:DescribeSpotInstanceRequests", 937 "ec2:DescribeSpotPriceHistory", 938 "ec2:DescribeSubnets", 939 "ec2:DescribeVpcAttribute", 940 "ec2:DescribeVpcEndpoints", 941 "ec2:DescribeVpcEndpointServices", 942 "ec2:DescribeVpcs", 943 "ec2:DetachNetworkInterface", 944 "ec2:ModifyImageAttribute", 945 "ec2:ModifyInstanceAttribute", 946 "ec2:RequestSpotInstances", 947 "ec2:RevokeSecurityGroupEgress", 948 "ec2:RunInstances", 949 "ec2:TerminateInstances", 950 "ec2:DeleteVolume", 951 "ec2:DescribeVolumeStatus", 952 "ec2:DescribeVolumes", 953 "ec2:DetachVolume", 954 "iam:GetRole", 955 "iam:GetRolePolicy", 956 "iam:ListInstanceProfiles", 957 "iam:ListRolePolicies", 958 "iam:PassRole", 959 "s3:CreateBucket", 960 "s3:Get*", 961 "s3:List*", 962 "sdb:BatchPutAttributes", 963 "sdb:Select", 964 "sqs:CreateQueue", 965 "sqs:Delete*", 966 "sqs:GetQueue*", 967 "sqs:PurgeQueue", 968 "sqs:ReceiveMessage" 969 ] 970 }] 971 } 972 EOT 973 } 974 975 # IAM Role for EC2 Instance Profile 976 resource "aws_iam_role" "iam_emr_profile_role" { 977 name = "iam_emr_profile_role_%d" 978 979 assume_role_policy = <<EOT 980 { 981 "Version": "2008-10-17", 982 "Statement": [ 983 { 984 "Sid": "", 985 "Effect": "Allow", 986 "Principal": { 987 "Service": "ec2.amazonaws.com" 988 }, 989 "Action": "sts:AssumeRole" 990 } 991 ] 992 } 993 EOT 994 } 995 996 resource "aws_iam_instance_profile" "emr_profile" { 997 name = "emr_profile_%d" 998 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 999 } 1000 1001 resource "aws_iam_role_policy_attachment" "profile-attach" { 1002 role = "${aws_iam_role.iam_emr_profile_role.id}" 1003 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1004 } 1005 1006 resource "aws_iam_policy" "iam_emr_profile_policy" { 1007 name = "iam_emr_profile_policy_%d" 1008 1009 policy = <<EOT 1010 { 1011 "Version": "2012-10-17", 1012 "Statement": [{ 1013 "Effect": "Allow", 1014 "Resource": "*", 1015 "Action": [ 1016 "cloudwatch:*", 1017 "dynamodb:*", 1018 "ec2:Describe*", 1019 "elasticmapreduce:Describe*", 1020 "elasticmapreduce:ListBootstrapActions", 1021 "elasticmapreduce:ListClusters", 1022 "elasticmapreduce:ListInstanceGroups", 1023 "elasticmapreduce:ListInstances", 1024 "elasticmapreduce:ListSteps", 1025 "kinesis:CreateStream", 1026 "kinesis:DeleteStream", 1027 "kinesis:DescribeStream", 1028 "kinesis:GetRecords", 1029 "kinesis:GetShardIterator", 1030 "kinesis:MergeShards", 1031 "kinesis:PutRecord", 1032 "kinesis:SplitShard", 1033 "rds:Describe*", 1034 "s3:*", 1035 "sdb:*", 1036 "sns:*", 1037 "sqs:*" 1038 ] 1039 }] 1040 } 1041 EOT 1042 } 1043 `, r, r, r, r, r, r) 1044 } 1045 1046 func testAccAWSEmrClusterConfigUpdatedTags(r int) string { 1047 return fmt.Sprintf(` 1048 provider "aws" { 1049 region = "us-west-2" 1050 } 1051 1052 resource "aws_emr_cluster" "tf-test-cluster" { 1053 name = "emr-test-%d" 1054 release_label = "emr-4.6.0" 1055 applications = ["Spark"] 1056 1057 ec2_attributes { 1058 subnet_id = "${aws_subnet.main.id}" 1059 emr_managed_master_security_group = "${aws_security_group.allow_all.id}" 1060 emr_managed_slave_security_group = "${aws_security_group.allow_all.id}" 1061 instance_profile = "${aws_iam_instance_profile.emr_profile.arn}" 1062 } 1063 1064 master_instance_type = "m3.xlarge" 1065 core_instance_type = "m3.xlarge" 1066 core_instance_count = 1 1067 1068 tags { 1069 dns_zone = "new_zone" 1070 Env = "production" 1071 name = "name-env" 1072 } 1073 1074 keep_job_flow_alive_when_no_steps = true 1075 termination_protection = false 1076 1077 bootstrap_action { 1078 path = "s3://elasticmapreduce/bootstrap-actions/run-if" 1079 name = "runif" 1080 args = ["instance.isMaster=true", "echo running on master node"] 1081 } 1082 1083 configurations = "test-fixtures/emr_configurations.json" 1084 1085 depends_on = ["aws_main_route_table_association.a"] 1086 1087 service_role = "${aws_iam_role.iam_emr_default_role.arn}" 1088 } 1089 1090 resource "aws_security_group" "allow_all" { 1091 name = "allow_all" 1092 description = "Allow all inbound traffic" 1093 vpc_id = "${aws_vpc.main.id}" 1094 1095 ingress { 1096 from_port = 0 1097 to_port = 0 1098 protocol = "-1" 1099 cidr_blocks = ["0.0.0.0/0"] 1100 } 1101 1102 egress { 1103 from_port = 0 1104 to_port = 0 1105 protocol = "-1" 1106 cidr_blocks = ["0.0.0.0/0"] 1107 } 1108 1109 depends_on = ["aws_subnet.main"] 1110 1111 lifecycle { 1112 ignore_changes = ["ingress", "egress"] 1113 } 1114 1115 tags { 1116 name = "emr_test" 1117 } 1118 } 1119 1120 resource "aws_vpc" "main" { 1121 cidr_block = "168.31.0.0/16" 1122 enable_dns_hostnames = true 1123 1124 tags { 1125 name = "emr_test" 1126 } 1127 } 1128 1129 resource "aws_subnet" "main" { 1130 vpc_id = "${aws_vpc.main.id}" 1131 cidr_block = "168.31.0.0/20" 1132 1133 tags { 1134 name = "emr_test" 1135 } 1136 } 1137 1138 resource "aws_internet_gateway" "gw" { 1139 vpc_id = "${aws_vpc.main.id}" 1140 } 1141 1142 resource "aws_route_table" "r" { 1143 vpc_id = "${aws_vpc.main.id}" 1144 1145 route { 1146 cidr_block = "0.0.0.0/0" 1147 gateway_id = "${aws_internet_gateway.gw.id}" 1148 } 1149 } 1150 1151 resource "aws_main_route_table_association" "a" { 1152 vpc_id = "${aws_vpc.main.id}" 1153 route_table_id = "${aws_route_table.r.id}" 1154 } 1155 1156 ### 1157 1158 # IAM things 1159 1160 ### 1161 1162 # IAM role for EMR Service 1163 resource "aws_iam_role" "iam_emr_default_role" { 1164 name = "iam_emr_default_role_%d" 1165 1166 assume_role_policy = <<EOT 1167 { 1168 "Version": "2008-10-17", 1169 "Statement": [ 1170 { 1171 "Sid": "", 1172 "Effect": "Allow", 1173 "Principal": { 1174 "Service": "elasticmapreduce.amazonaws.com" 1175 }, 1176 "Action": "sts:AssumeRole" 1177 } 1178 ] 1179 } 1180 EOT 1181 } 1182 1183 resource "aws_iam_role_policy_attachment" "service-attach" { 1184 role = "${aws_iam_role.iam_emr_default_role.id}" 1185 policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}" 1186 } 1187 1188 resource "aws_iam_policy" "iam_emr_default_policy" { 1189 name = "iam_emr_default_policy_%d" 1190 1191 policy = <<EOT 1192 { 1193 "Version": "2012-10-17", 1194 "Statement": [{ 1195 "Effect": "Allow", 1196 "Resource": "*", 1197 "Action": [ 1198 "ec2:AuthorizeSecurityGroupEgress", 1199 "ec2:AuthorizeSecurityGroupIngress", 1200 "ec2:CancelSpotInstanceRequests", 1201 "ec2:CreateNetworkInterface", 1202 "ec2:CreateSecurityGroup", 1203 "ec2:CreateTags", 1204 "ec2:DeleteNetworkInterface", 1205 "ec2:DeleteSecurityGroup", 1206 "ec2:DeleteTags", 1207 "ec2:DescribeAvailabilityZones", 1208 "ec2:DescribeAccountAttributes", 1209 "ec2:DescribeDhcpOptions", 1210 "ec2:DescribeInstanceStatus", 1211 "ec2:DescribeInstances", 1212 "ec2:DescribeKeyPairs", 1213 "ec2:DescribeNetworkAcls", 1214 "ec2:DescribeNetworkInterfaces", 1215 "ec2:DescribePrefixLists", 1216 "ec2:DescribeRouteTables", 1217 "ec2:DescribeSecurityGroups", 1218 "ec2:DescribeSpotInstanceRequests", 1219 "ec2:DescribeSpotPriceHistory", 1220 "ec2:DescribeSubnets", 1221 "ec2:DescribeVpcAttribute", 1222 "ec2:DescribeVpcEndpoints", 1223 "ec2:DescribeVpcEndpointServices", 1224 "ec2:DescribeVpcs", 1225 "ec2:DetachNetworkInterface", 1226 "ec2:ModifyImageAttribute", 1227 "ec2:ModifyInstanceAttribute", 1228 "ec2:RequestSpotInstances", 1229 "ec2:RevokeSecurityGroupEgress", 1230 "ec2:RunInstances", 1231 "ec2:TerminateInstances", 1232 "ec2:DeleteVolume", 1233 "ec2:DescribeVolumeStatus", 1234 "ec2:DescribeVolumes", 1235 "ec2:DetachVolume", 1236 "iam:GetRole", 1237 "iam:GetRolePolicy", 1238 "iam:ListInstanceProfiles", 1239 "iam:ListRolePolicies", 1240 "iam:PassRole", 1241 "s3:CreateBucket", 1242 "s3:Get*", 1243 "s3:List*", 1244 "sdb:BatchPutAttributes", 1245 "sdb:Select", 1246 "sqs:CreateQueue", 1247 "sqs:Delete*", 1248 "sqs:GetQueue*", 1249 "sqs:PurgeQueue", 1250 "sqs:ReceiveMessage" 1251 ] 1252 }] 1253 } 1254 EOT 1255 } 1256 1257 # IAM Role for EC2 Instance Profile 1258 resource "aws_iam_role" "iam_emr_profile_role" { 1259 name = "iam_emr_profile_role_%d" 1260 1261 assume_role_policy = <<EOT 1262 { 1263 "Version": "2008-10-17", 1264 "Statement": [ 1265 { 1266 "Sid": "", 1267 "Effect": "Allow", 1268 "Principal": { 1269 "Service": "ec2.amazonaws.com" 1270 }, 1271 "Action": "sts:AssumeRole" 1272 } 1273 ] 1274 } 1275 EOT 1276 } 1277 1278 resource "aws_iam_instance_profile" "emr_profile" { 1279 name = "emr_profile_%d" 1280 roles = ["${aws_iam_role.iam_emr_profile_role.name}"] 1281 } 1282 1283 resource "aws_iam_role_policy_attachment" "profile-attach" { 1284 role = "${aws_iam_role.iam_emr_profile_role.id}" 1285 policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}" 1286 } 1287 1288 resource "aws_iam_policy" "iam_emr_profile_policy" { 1289 name = "iam_emr_profile_policy_%d" 1290 1291 policy = <<EOT 1292 { 1293 "Version": "2012-10-17", 1294 "Statement": [{ 1295 "Effect": "Allow", 1296 "Resource": "*", 1297 "Action": [ 1298 "cloudwatch:*", 1299 "dynamodb:*", 1300 "ec2:Describe*", 1301 "elasticmapreduce:Describe*", 1302 "elasticmapreduce:ListBootstrapActions", 1303 "elasticmapreduce:ListClusters", 1304 "elasticmapreduce:ListInstanceGroups", 1305 "elasticmapreduce:ListInstances", 1306 "elasticmapreduce:ListSteps", 1307 "kinesis:CreateStream", 1308 "kinesis:DeleteStream", 1309 "kinesis:DescribeStream", 1310 "kinesis:GetRecords", 1311 "kinesis:GetShardIterator", 1312 "kinesis:MergeShards", 1313 "kinesis:PutRecord", 1314 "kinesis:SplitShard", 1315 "rds:Describe*", 1316 "s3:*", 1317 "sdb:*", 1318 "sns:*", 1319 "sqs:*" 1320 ] 1321 }] 1322 } 1323 EOT 1324 } 1325 `, r, r, r, r, r, r) 1326 }