github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/builtin/providers/aws/resource_aws_emr_cluster_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"log"
     6  	"testing"
     7  
     8  	"github.com/aws/aws-sdk-go/aws"
     9  	"github.com/aws/aws-sdk-go/aws/awserr"
    10  	"github.com/aws/aws-sdk-go/service/emr"
    11  	"github.com/hashicorp/terraform/helper/acctest"
    12  	"github.com/hashicorp/terraform/helper/resource"
    13  	"github.com/hashicorp/terraform/terraform"
    14  )
    15  
    16  func TestAccAWSEMRCluster_basic(t *testing.T) {
    17  	var jobFlow emr.RunJobFlowOutput
    18  	r := acctest.RandInt()
    19  	resource.Test(t, resource.TestCase{
    20  		PreCheck:     func() { testAccPreCheck(t) },
    21  		Providers:    testAccProviders,
    22  		CheckDestroy: testAccCheckAWSEmrDestroy,
    23  		Steps: []resource.TestStep{
    24  			{
    25  				Config: testAccAWSEmrClusterConfig(r),
    26  				Check:  testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    27  			},
    28  		},
    29  	})
    30  }
    31  
    32  func TestAccAWSEMRCluster_terminationProtected(t *testing.T) {
    33  	var jobFlow emr.RunJobFlowOutput
    34  	r := acctest.RandInt()
    35  	resource.Test(t, resource.TestCase{
    36  		PreCheck:     func() { testAccPreCheck(t) },
    37  		Providers:    testAccProviders,
    38  		CheckDestroy: testAccCheckAWSEmrDestroy,
    39  		Steps: []resource.TestStep{
    40  			{
    41  				Config: testAccAWSEmrClusterConfig(r),
    42  				Check: resource.ComposeTestCheckFunc(
    43  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    44  					resource.TestCheckResourceAttr(
    45  						"aws_emr_cluster.tf-test-cluster", "termination_protection", "false"),
    46  				),
    47  			},
    48  			{
    49  				Config: testAccAWSEmrClusterConfigTerminationPolicyUpdated(r),
    50  				Check: resource.ComposeTestCheckFunc(
    51  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    52  					resource.TestCheckResourceAttr(
    53  						"aws_emr_cluster.tf-test-cluster", "termination_protection", "true"),
    54  				),
    55  			},
    56  			{
    57  				//Need to turn off termination_protection to allow the job to be deleted
    58  				Config: testAccAWSEmrClusterConfig(r),
    59  				Check: resource.ComposeTestCheckFunc(
    60  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    61  				),
    62  			},
    63  		},
    64  	})
    65  }
    66  
    67  func TestAccAWSEMRCluster_visibleToAllUsers(t *testing.T) {
    68  	var jobFlow emr.RunJobFlowOutput
    69  	r := acctest.RandInt()
    70  	resource.Test(t, resource.TestCase{
    71  		PreCheck:     func() { testAccPreCheck(t) },
    72  		Providers:    testAccProviders,
    73  		CheckDestroy: testAccCheckAWSEmrDestroy,
    74  		Steps: []resource.TestStep{
    75  			{
    76  				Config: testAccAWSEmrClusterConfig(r),
    77  				Check: resource.ComposeTestCheckFunc(
    78  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    79  					resource.TestCheckResourceAttr(
    80  						"aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "true"),
    81  				),
    82  			},
    83  			{
    84  				Config: testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r),
    85  				Check: resource.ComposeTestCheckFunc(
    86  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
    87  					resource.TestCheckResourceAttr(
    88  						"aws_emr_cluster.tf-test-cluster", "visible_to_all_users", "false"),
    89  				),
    90  			},
    91  		},
    92  	})
    93  }
    94  
    95  func TestAccAWSEMRCluster_tags(t *testing.T) {
    96  	var jobFlow emr.RunJobFlowOutput
    97  	r := acctest.RandInt()
    98  	resource.Test(t, resource.TestCase{
    99  		PreCheck:     func() { testAccPreCheck(t) },
   100  		Providers:    testAccProviders,
   101  		CheckDestroy: testAccCheckAWSEmrDestroy,
   102  		Steps: []resource.TestStep{
   103  			{
   104  				Config: testAccAWSEmrClusterConfig(r),
   105  				Check: resource.ComposeTestCheckFunc(
   106  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
   107  					resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "4"),
   108  					resource.TestCheckResourceAttr(
   109  						"aws_emr_cluster.tf-test-cluster", "tags.role", "rolename"),
   110  					resource.TestCheckResourceAttr(
   111  						"aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "env_zone"),
   112  					resource.TestCheckResourceAttr(
   113  						"aws_emr_cluster.tf-test-cluster", "tags.env", "env"),
   114  					resource.TestCheckResourceAttr(
   115  						"aws_emr_cluster.tf-test-cluster", "tags.name", "name-env")),
   116  			},
   117  			{
   118  				Config: testAccAWSEmrClusterConfigUpdatedTags(r),
   119  				Check: resource.ComposeTestCheckFunc(
   120  					testAccCheckAWSEmrClusterExists("aws_emr_cluster.tf-test-cluster", &jobFlow),
   121  					resource.TestCheckResourceAttr("aws_emr_cluster.tf-test-cluster", "tags.%", "3"),
   122  					resource.TestCheckResourceAttr(
   123  						"aws_emr_cluster.tf-test-cluster", "tags.dns_zone", "new_zone"),
   124  					resource.TestCheckResourceAttr(
   125  						"aws_emr_cluster.tf-test-cluster", "tags.Env", "production"),
   126  					resource.TestCheckResourceAttr(
   127  						"aws_emr_cluster.tf-test-cluster", "tags.name", "name-env"),
   128  				),
   129  			},
   130  		},
   131  	})
   132  }
   133  
   134  func testAccCheckAWSEmrDestroy(s *terraform.State) error {
   135  	conn := testAccProvider.Meta().(*AWSClient).emrconn
   136  
   137  	for _, rs := range s.RootModule().Resources {
   138  		if rs.Type != "aws_emr_cluster" {
   139  			continue
   140  		}
   141  
   142  		params := &emr.DescribeClusterInput{
   143  			ClusterId: aws.String(rs.Primary.ID),
   144  		}
   145  
   146  		describe, err := conn.DescribeCluster(params)
   147  
   148  		if err == nil {
   149  			if describe.Cluster != nil &&
   150  				*describe.Cluster.Status.State == "WAITING" {
   151  				return fmt.Errorf("EMR Cluster still exists")
   152  			}
   153  		}
   154  
   155  		providerErr, ok := err.(awserr.Error)
   156  		if !ok {
   157  			return err
   158  		}
   159  
   160  		log.Printf("[ERROR] %v", providerErr)
   161  	}
   162  
   163  	return nil
   164  }
   165  
   166  func testAccCheckAWSEmrClusterExists(n string, v *emr.RunJobFlowOutput) resource.TestCheckFunc {
   167  	return func(s *terraform.State) error {
   168  		rs, ok := s.RootModule().Resources[n]
   169  		if !ok {
   170  			return fmt.Errorf("Not found: %s", n)
   171  		}
   172  		if rs.Primary.ID == "" {
   173  			return fmt.Errorf("No cluster id set")
   174  		}
   175  		conn := testAccProvider.Meta().(*AWSClient).emrconn
   176  		describe, err := conn.DescribeCluster(&emr.DescribeClusterInput{
   177  			ClusterId: aws.String(rs.Primary.ID),
   178  		})
   179  		if err != nil {
   180  			return fmt.Errorf("EMR error: %v", err)
   181  		}
   182  
   183  		if describe.Cluster != nil &&
   184  			*describe.Cluster.Id != rs.Primary.ID {
   185  			return fmt.Errorf("EMR cluser not found")
   186  		}
   187  
   188  		if describe.Cluster != nil &&
   189  			*describe.Cluster.Status.State != "WAITING" {
   190  			return fmt.Errorf("EMR cluser is not up yet")
   191  		}
   192  
   193  		return nil
   194  	}
   195  }
   196  
   197  func testAccAWSEmrClusterConfig(r int) string {
   198  	return fmt.Sprintf(`
   199  provider "aws" {
   200    region = "us-west-2"
   201  }
   202  
   203  resource "aws_emr_cluster" "tf-test-cluster" {
   204    name          = "emr-test-%d"
   205    release_label = "emr-4.6.0"
   206    applications  = ["Spark"]
   207  
   208    ec2_attributes {
   209      subnet_id                         = "${aws_subnet.main.id}"
   210      emr_managed_master_security_group = "${aws_security_group.allow_all.id}"
   211      emr_managed_slave_security_group  = "${aws_security_group.allow_all.id}"
   212      instance_profile                  = "${aws_iam_instance_profile.emr_profile.arn}"
   213    }
   214  
   215    master_instance_type = "m3.xlarge"
   216    core_instance_type   = "m3.xlarge"
   217    core_instance_count  = 1
   218  
   219    tags {
   220      role     = "rolename"
   221      dns_zone = "env_zone"
   222      env      = "env"
   223      name     = "name-env"
   224    }
   225  
   226    keep_job_flow_alive_when_no_steps = true
   227    termination_protection = false
   228  
   229    bootstrap_action {
   230      path = "s3://elasticmapreduce/bootstrap-actions/run-if"
   231      name = "runif"
   232      args = ["instance.isMaster=true", "echo running on master node"]
   233    }
   234  
   235    configurations = "test-fixtures/emr_configurations.json"
   236  
   237    depends_on = ["aws_main_route_table_association.a"]
   238  
   239    service_role = "${aws_iam_role.iam_emr_default_role.arn}"
   240  }
   241  
   242  resource "aws_security_group" "allow_all" {
   243    name        = "allow_all"
   244    description = "Allow all inbound traffic"
   245    vpc_id      = "${aws_vpc.main.id}"
   246  
   247    ingress {
   248      from_port   = 0
   249      to_port     = 0
   250      protocol    = "-1"
   251      cidr_blocks = ["0.0.0.0/0"]
   252    }
   253  
   254    egress {
   255      from_port   = 0
   256      to_port     = 0
   257      protocol    = "-1"
   258      cidr_blocks = ["0.0.0.0/0"]
   259    }
   260  
   261    depends_on = ["aws_subnet.main"]
   262  
   263    lifecycle {
   264      ignore_changes = ["ingress", "egress"]
   265    }
   266  
   267    tags {
   268      name = "emr_test"
   269    }
   270  }
   271  
   272  resource "aws_vpc" "main" {
   273    cidr_block           = "168.31.0.0/16"
   274    enable_dns_hostnames = true
   275  
   276    tags {
   277      name = "emr_test"
   278    }
   279  }
   280  
   281  resource "aws_subnet" "main" {
   282    vpc_id     = "${aws_vpc.main.id}"
   283    cidr_block = "168.31.0.0/20"
   284  
   285    tags {
   286      name = "emr_test"
   287    }
   288  }
   289  
   290  resource "aws_internet_gateway" "gw" {
   291    vpc_id = "${aws_vpc.main.id}"
   292  }
   293  
   294  resource "aws_route_table" "r" {
   295    vpc_id = "${aws_vpc.main.id}"
   296  
   297    route {
   298      cidr_block = "0.0.0.0/0"
   299      gateway_id = "${aws_internet_gateway.gw.id}"
   300    }
   301  }
   302  
   303  resource "aws_main_route_table_association" "a" {
   304    vpc_id         = "${aws_vpc.main.id}"
   305    route_table_id = "${aws_route_table.r.id}"
   306  }
   307  
   308  ###
   309  
   310  # IAM things
   311  
   312  ###
   313  
   314  # IAM role for EMR Service
   315  resource "aws_iam_role" "iam_emr_default_role" {
   316    name = "iam_emr_default_role_%d"
   317  
   318    assume_role_policy = <<EOT
   319  {
   320    "Version": "2008-10-17",
   321    "Statement": [
   322      {
   323        "Sid": "",
   324        "Effect": "Allow",
   325        "Principal": {
   326          "Service": "elasticmapreduce.amazonaws.com"
   327        },
   328        "Action": "sts:AssumeRole"
   329      }
   330    ]
   331  }
   332  EOT
   333  }
   334  
   335  resource "aws_iam_role_policy_attachment" "service-attach" {
   336    role       = "${aws_iam_role.iam_emr_default_role.id}"
   337    policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}"
   338  }
   339  
   340  resource "aws_iam_policy" "iam_emr_default_policy" {
   341    name = "iam_emr_default_policy_%d"
   342  
   343    policy = <<EOT
   344  {
   345      "Version": "2012-10-17",
   346      "Statement": [{
   347          "Effect": "Allow",
   348          "Resource": "*",
   349          "Action": [
   350              "ec2:AuthorizeSecurityGroupEgress",
   351              "ec2:AuthorizeSecurityGroupIngress",
   352              "ec2:CancelSpotInstanceRequests",
   353              "ec2:CreateNetworkInterface",
   354              "ec2:CreateSecurityGroup",
   355              "ec2:CreateTags",
   356              "ec2:DeleteNetworkInterface",
   357              "ec2:DeleteSecurityGroup",
   358              "ec2:DeleteTags",
   359              "ec2:DescribeAvailabilityZones",
   360              "ec2:DescribeAccountAttributes",
   361              "ec2:DescribeDhcpOptions",
   362              "ec2:DescribeInstanceStatus",
   363              "ec2:DescribeInstances",
   364              "ec2:DescribeKeyPairs",
   365              "ec2:DescribeNetworkAcls",
   366              "ec2:DescribeNetworkInterfaces",
   367              "ec2:DescribePrefixLists",
   368              "ec2:DescribeRouteTables",
   369              "ec2:DescribeSecurityGroups",
   370              "ec2:DescribeSpotInstanceRequests",
   371              "ec2:DescribeSpotPriceHistory",
   372              "ec2:DescribeSubnets",
   373              "ec2:DescribeVpcAttribute",
   374              "ec2:DescribeVpcEndpoints",
   375              "ec2:DescribeVpcEndpointServices",
   376              "ec2:DescribeVpcs",
   377              "ec2:DetachNetworkInterface",
   378              "ec2:ModifyImageAttribute",
   379              "ec2:ModifyInstanceAttribute",
   380              "ec2:RequestSpotInstances",
   381              "ec2:RevokeSecurityGroupEgress",
   382              "ec2:RunInstances",
   383              "ec2:TerminateInstances",
   384              "ec2:DeleteVolume",
   385              "ec2:DescribeVolumeStatus",
   386              "ec2:DescribeVolumes",
   387              "ec2:DetachVolume",
   388              "iam:GetRole",
   389              "iam:GetRolePolicy",
   390              "iam:ListInstanceProfiles",
   391              "iam:ListRolePolicies",
   392              "iam:PassRole",
   393              "s3:CreateBucket",
   394              "s3:Get*",
   395              "s3:List*",
   396              "sdb:BatchPutAttributes",
   397              "sdb:Select",
   398              "sqs:CreateQueue",
   399              "sqs:Delete*",
   400              "sqs:GetQueue*",
   401              "sqs:PurgeQueue",
   402              "sqs:ReceiveMessage"
   403          ]
   404      }]
   405  }
   406  EOT
   407  }
   408  
   409  # IAM Role for EC2 Instance Profile
   410  resource "aws_iam_role" "iam_emr_profile_role" {
   411    name = "iam_emr_profile_role_%d"
   412  
   413    assume_role_policy = <<EOT
   414  {
   415    "Version": "2008-10-17",
   416    "Statement": [
   417      {
   418        "Sid": "",
   419        "Effect": "Allow",
   420        "Principal": {
   421          "Service": "ec2.amazonaws.com"
   422        },
   423        "Action": "sts:AssumeRole"
   424      }
   425    ]
   426  }
   427  EOT
   428  }
   429  
   430  resource "aws_iam_instance_profile" "emr_profile" {
   431    name  = "emr_profile_%d"
   432    roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
   433  }
   434  
   435  resource "aws_iam_role_policy_attachment" "profile-attach" {
   436    role       = "${aws_iam_role.iam_emr_profile_role.id}"
   437    policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}"
   438  }
   439  
   440  resource "aws_iam_policy" "iam_emr_profile_policy" {
   441    name = "iam_emr_profile_policy_%d"
   442  
   443    policy = <<EOT
   444  {
   445      "Version": "2012-10-17",
   446      "Statement": [{
   447          "Effect": "Allow",
   448          "Resource": "*",
   449          "Action": [
   450              "cloudwatch:*",
   451              "dynamodb:*",
   452              "ec2:Describe*",
   453              "elasticmapreduce:Describe*",
   454              "elasticmapreduce:ListBootstrapActions",
   455              "elasticmapreduce:ListClusters",
   456              "elasticmapreduce:ListInstanceGroups",
   457              "elasticmapreduce:ListInstances",
   458              "elasticmapreduce:ListSteps",
   459              "kinesis:CreateStream",
   460              "kinesis:DeleteStream",
   461              "kinesis:DescribeStream",
   462              "kinesis:GetRecords",
   463              "kinesis:GetShardIterator",
   464              "kinesis:MergeShards",
   465              "kinesis:PutRecord",
   466              "kinesis:SplitShard",
   467              "rds:Describe*",
   468              "s3:*",
   469              "sdb:*",
   470              "sns:*",
   471              "sqs:*"
   472          ]
   473      }]
   474  }
   475  EOT
   476  }
   477  `, r, r, r, r, r, r)
   478  }
   479  
   480  func testAccAWSEmrClusterConfigTerminationPolicyUpdated(r int) string {
   481  	return fmt.Sprintf(`
   482  provider "aws" {
   483    region = "us-west-2"
   484  }
   485  
   486  resource "aws_emr_cluster" "tf-test-cluster" {
   487    name          = "emr-test-%d"
   488    release_label = "emr-4.6.0"
   489    applications  = ["Spark"]
   490  
   491    ec2_attributes {
   492      subnet_id                         = "${aws_subnet.main.id}"
   493      emr_managed_master_security_group = "${aws_security_group.allow_all.id}"
   494      emr_managed_slave_security_group  = "${aws_security_group.allow_all.id}"
   495      instance_profile                  = "${aws_iam_instance_profile.emr_profile.arn}"
   496    }
   497  
   498    master_instance_type = "m3.xlarge"
   499    core_instance_type   = "m3.xlarge"
   500    core_instance_count  = 1
   501  
   502    tags {
   503      role     = "rolename"
   504      dns_zone = "env_zone"
   505      env      = "env"
   506      name     = "name-env"
   507    }
   508  
   509    keep_job_flow_alive_when_no_steps = true
   510    termination_protection = true
   511  
   512    bootstrap_action {
   513      path = "s3://elasticmapreduce/bootstrap-actions/run-if"
   514      name = "runif"
   515      args = ["instance.isMaster=true", "echo running on master node"]
   516    }
   517  
   518    configurations = "test-fixtures/emr_configurations.json"
   519  
   520    depends_on = ["aws_main_route_table_association.a"]
   521  
   522    service_role = "${aws_iam_role.iam_emr_default_role.arn}"
   523  }
   524  
   525  resource "aws_security_group" "allow_all" {
   526    name        = "allow_all"
   527    description = "Allow all inbound traffic"
   528    vpc_id      = "${aws_vpc.main.id}"
   529  
   530    ingress {
   531      from_port   = 0
   532      to_port     = 0
   533      protocol    = "-1"
   534      cidr_blocks = ["0.0.0.0/0"]
   535    }
   536  
   537    egress {
   538      from_port   = 0
   539      to_port     = 0
   540      protocol    = "-1"
   541      cidr_blocks = ["0.0.0.0/0"]
   542    }
   543  
   544    depends_on = ["aws_subnet.main"]
   545  
   546    lifecycle {
   547      ignore_changes = ["ingress", "egress"]
   548    }
   549  
   550    tags {
   551      name = "emr_test"
   552    }
   553  }
   554  
   555  resource "aws_vpc" "main" {
   556    cidr_block           = "168.31.0.0/16"
   557    enable_dns_hostnames = true
   558  
   559    tags {
   560      name = "emr_test"
   561    }
   562  }
   563  
   564  resource "aws_subnet" "main" {
   565    vpc_id     = "${aws_vpc.main.id}"
   566    cidr_block = "168.31.0.0/20"
   567  
   568    tags {
   569      name = "emr_test"
   570    }
   571  }
   572  
   573  resource "aws_internet_gateway" "gw" {
   574    vpc_id = "${aws_vpc.main.id}"
   575  }
   576  
   577  resource "aws_route_table" "r" {
   578    vpc_id = "${aws_vpc.main.id}"
   579  
   580    route {
   581      cidr_block = "0.0.0.0/0"
   582      gateway_id = "${aws_internet_gateway.gw.id}"
   583    }
   584  }
   585  
   586  resource "aws_main_route_table_association" "a" {
   587    vpc_id         = "${aws_vpc.main.id}"
   588    route_table_id = "${aws_route_table.r.id}"
   589  }
   590  
   591  ###
   592  
   593  # IAM things
   594  
   595  ###
   596  
   597  # IAM role for EMR Service
   598  resource "aws_iam_role" "iam_emr_default_role" {
   599    name = "iam_emr_default_role_%d"
   600  
   601    assume_role_policy = <<EOT
   602  {
   603    "Version": "2008-10-17",
   604    "Statement": [
   605      {
   606        "Sid": "",
   607        "Effect": "Allow",
   608        "Principal": {
   609          "Service": "elasticmapreduce.amazonaws.com"
   610        },
   611        "Action": "sts:AssumeRole"
   612      }
   613    ]
   614  }
   615  EOT
   616  }
   617  
   618  resource "aws_iam_role_policy_attachment" "service-attach" {
   619    role       = "${aws_iam_role.iam_emr_default_role.id}"
   620    policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}"
   621  }
   622  
   623  resource "aws_iam_policy" "iam_emr_default_policy" {
   624    name = "iam_emr_default_policy_%d"
   625  
   626    policy = <<EOT
   627  {
   628      "Version": "2012-10-17",
   629      "Statement": [{
   630          "Effect": "Allow",
   631          "Resource": "*",
   632          "Action": [
   633              "ec2:AuthorizeSecurityGroupEgress",
   634              "ec2:AuthorizeSecurityGroupIngress",
   635              "ec2:CancelSpotInstanceRequests",
   636              "ec2:CreateNetworkInterface",
   637              "ec2:CreateSecurityGroup",
   638              "ec2:CreateTags",
   639              "ec2:DeleteNetworkInterface",
   640              "ec2:DeleteSecurityGroup",
   641              "ec2:DeleteTags",
   642              "ec2:DescribeAvailabilityZones",
   643              "ec2:DescribeAccountAttributes",
   644              "ec2:DescribeDhcpOptions",
   645              "ec2:DescribeInstanceStatus",
   646              "ec2:DescribeInstances",
   647              "ec2:DescribeKeyPairs",
   648              "ec2:DescribeNetworkAcls",
   649              "ec2:DescribeNetworkInterfaces",
   650              "ec2:DescribePrefixLists",
   651              "ec2:DescribeRouteTables",
   652              "ec2:DescribeSecurityGroups",
   653              "ec2:DescribeSpotInstanceRequests",
   654              "ec2:DescribeSpotPriceHistory",
   655              "ec2:DescribeSubnets",
   656              "ec2:DescribeVpcAttribute",
   657              "ec2:DescribeVpcEndpoints",
   658              "ec2:DescribeVpcEndpointServices",
   659              "ec2:DescribeVpcs",
   660              "ec2:DetachNetworkInterface",
   661              "ec2:ModifyImageAttribute",
   662              "ec2:ModifyInstanceAttribute",
   663              "ec2:RequestSpotInstances",
   664              "ec2:RevokeSecurityGroupEgress",
   665              "ec2:RunInstances",
   666              "ec2:TerminateInstances",
   667              "ec2:DeleteVolume",
   668              "ec2:DescribeVolumeStatus",
   669              "ec2:DescribeVolumes",
   670              "ec2:DetachVolume",
   671              "iam:GetRole",
   672              "iam:GetRolePolicy",
   673              "iam:ListInstanceProfiles",
   674              "iam:ListRolePolicies",
   675              "iam:PassRole",
   676              "s3:CreateBucket",
   677              "s3:Get*",
   678              "s3:List*",
   679              "sdb:BatchPutAttributes",
   680              "sdb:Select",
   681              "sqs:CreateQueue",
   682              "sqs:Delete*",
   683              "sqs:GetQueue*",
   684              "sqs:PurgeQueue",
   685              "sqs:ReceiveMessage"
   686          ]
   687      }]
   688  }
   689  EOT
   690  }
   691  
   692  # IAM Role for EC2 Instance Profile
   693  resource "aws_iam_role" "iam_emr_profile_role" {
   694    name = "iam_emr_profile_role_%d"
   695  
   696    assume_role_policy = <<EOT
   697  {
   698    "Version": "2008-10-17",
   699    "Statement": [
   700      {
   701        "Sid": "",
   702        "Effect": "Allow",
   703        "Principal": {
   704          "Service": "ec2.amazonaws.com"
   705        },
   706        "Action": "sts:AssumeRole"
   707      }
   708    ]
   709  }
   710  EOT
   711  }
   712  
   713  resource "aws_iam_instance_profile" "emr_profile" {
   714    name  = "emr_profile_%d"
   715    roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
   716  }
   717  
   718  resource "aws_iam_role_policy_attachment" "profile-attach" {
   719    role       = "${aws_iam_role.iam_emr_profile_role.id}"
   720    policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}"
   721  }
   722  
   723  resource "aws_iam_policy" "iam_emr_profile_policy" {
   724    name = "iam_emr_profile_policy_%d"
   725  
   726    policy = <<EOT
   727  {
   728      "Version": "2012-10-17",
   729      "Statement": [{
   730          "Effect": "Allow",
   731          "Resource": "*",
   732          "Action": [
   733              "cloudwatch:*",
   734              "dynamodb:*",
   735              "ec2:Describe*",
   736              "elasticmapreduce:Describe*",
   737              "elasticmapreduce:ListBootstrapActions",
   738              "elasticmapreduce:ListClusters",
   739              "elasticmapreduce:ListInstanceGroups",
   740              "elasticmapreduce:ListInstances",
   741              "elasticmapreduce:ListSteps",
   742              "kinesis:CreateStream",
   743              "kinesis:DeleteStream",
   744              "kinesis:DescribeStream",
   745              "kinesis:GetRecords",
   746              "kinesis:GetShardIterator",
   747              "kinesis:MergeShards",
   748              "kinesis:PutRecord",
   749              "kinesis:SplitShard",
   750              "rds:Describe*",
   751              "s3:*",
   752              "sdb:*",
   753              "sns:*",
   754              "sqs:*"
   755          ]
   756      }]
   757  }
   758  EOT
   759  }
   760  `, r, r, r, r, r, r)
   761  }
   762  
   763  func testAccAWSEmrClusterConfigVisibleToAllUsersUpdated(r int) string {
   764  	return fmt.Sprintf(`
   765  provider "aws" {
   766    region = "us-west-2"
   767  }
   768  
   769  resource "aws_emr_cluster" "tf-test-cluster" {
   770    name          = "emr-test-%d"
   771    release_label = "emr-4.6.0"
   772    applications  = ["Spark"]
   773  
   774    ec2_attributes {
   775      subnet_id                         = "${aws_subnet.main.id}"
   776      emr_managed_master_security_group = "${aws_security_group.allow_all.id}"
   777      emr_managed_slave_security_group  = "${aws_security_group.allow_all.id}"
   778      instance_profile                  = "${aws_iam_instance_profile.emr_profile.arn}"
   779    }
   780  
   781    master_instance_type = "m3.xlarge"
   782    core_instance_type   = "m3.xlarge"
   783    core_instance_count  = 1
   784  
   785    tags {
   786      role     = "rolename"
   787      dns_zone = "env_zone"
   788      env      = "env"
   789      name     = "name-env"
   790    }
   791  
   792    keep_job_flow_alive_when_no_steps = true
   793    visible_to_all_users = false
   794  
   795    bootstrap_action {
   796      path = "s3://elasticmapreduce/bootstrap-actions/run-if"
   797      name = "runif"
   798      args = ["instance.isMaster=true", "echo running on master node"]
   799    }
   800  
   801    configurations = "test-fixtures/emr_configurations.json"
   802  
   803    depends_on = ["aws_main_route_table_association.a"]
   804  
   805    service_role = "${aws_iam_role.iam_emr_default_role.arn}"
   806  }
   807  
   808  resource "aws_security_group" "allow_all" {
   809    name        = "allow_all"
   810    description = "Allow all inbound traffic"
   811    vpc_id      = "${aws_vpc.main.id}"
   812  
   813    ingress {
   814      from_port   = 0
   815      to_port     = 0
   816      protocol    = "-1"
   817      cidr_blocks = ["0.0.0.0/0"]
   818    }
   819  
   820    egress {
   821      from_port   = 0
   822      to_port     = 0
   823      protocol    = "-1"
   824      cidr_blocks = ["0.0.0.0/0"]
   825    }
   826  
   827    depends_on = ["aws_subnet.main"]
   828  
   829    lifecycle {
   830      ignore_changes = ["ingress", "egress"]
   831    }
   832  
   833    tags {
   834      name = "emr_test"
   835    }
   836  }
   837  
   838  resource "aws_vpc" "main" {
   839    cidr_block           = "168.31.0.0/16"
   840    enable_dns_hostnames = true
   841  
   842    tags {
   843      name = "emr_test"
   844    }
   845  }
   846  
   847  resource "aws_subnet" "main" {
   848    vpc_id     = "${aws_vpc.main.id}"
   849    cidr_block = "168.31.0.0/20"
   850  
   851    tags {
   852      name = "emr_test"
   853    }
   854  }
   855  
   856  resource "aws_internet_gateway" "gw" {
   857    vpc_id = "${aws_vpc.main.id}"
   858  }
   859  
   860  resource "aws_route_table" "r" {
   861    vpc_id = "${aws_vpc.main.id}"
   862  
   863    route {
   864      cidr_block = "0.0.0.0/0"
   865      gateway_id = "${aws_internet_gateway.gw.id}"
   866    }
   867  }
   868  
   869  resource "aws_main_route_table_association" "a" {
   870    vpc_id         = "${aws_vpc.main.id}"
   871    route_table_id = "${aws_route_table.r.id}"
   872  }
   873  
   874  ###
   875  
   876  # IAM things
   877  
   878  ###
   879  
   880  # IAM role for EMR Service
   881  resource "aws_iam_role" "iam_emr_default_role" {
   882    name = "iam_emr_default_role_%d"
   883  
   884    assume_role_policy = <<EOT
   885  {
   886    "Version": "2008-10-17",
   887    "Statement": [
   888      {
   889        "Sid": "",
   890        "Effect": "Allow",
   891        "Principal": {
   892          "Service": "elasticmapreduce.amazonaws.com"
   893        },
   894        "Action": "sts:AssumeRole"
   895      }
   896    ]
   897  }
   898  EOT
   899  }
   900  
   901  resource "aws_iam_role_policy_attachment" "service-attach" {
   902    role       = "${aws_iam_role.iam_emr_default_role.id}"
   903    policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}"
   904  }
   905  
   906  resource "aws_iam_policy" "iam_emr_default_policy" {
   907    name = "iam_emr_default_policy_%d"
   908  
   909    policy = <<EOT
   910  {
   911      "Version": "2012-10-17",
   912      "Statement": [{
   913          "Effect": "Allow",
   914          "Resource": "*",
   915          "Action": [
   916              "ec2:AuthorizeSecurityGroupEgress",
   917              "ec2:AuthorizeSecurityGroupIngress",
   918              "ec2:CancelSpotInstanceRequests",
   919              "ec2:CreateNetworkInterface",
   920              "ec2:CreateSecurityGroup",
   921              "ec2:CreateTags",
   922              "ec2:DeleteNetworkInterface",
   923              "ec2:DeleteSecurityGroup",
   924              "ec2:DeleteTags",
   925              "ec2:DescribeAvailabilityZones",
   926              "ec2:DescribeAccountAttributes",
   927              "ec2:DescribeDhcpOptions",
   928              "ec2:DescribeInstanceStatus",
   929              "ec2:DescribeInstances",
   930              "ec2:DescribeKeyPairs",
   931              "ec2:DescribeNetworkAcls",
   932              "ec2:DescribeNetworkInterfaces",
   933              "ec2:DescribePrefixLists",
   934              "ec2:DescribeRouteTables",
   935              "ec2:DescribeSecurityGroups",
   936              "ec2:DescribeSpotInstanceRequests",
   937              "ec2:DescribeSpotPriceHistory",
   938              "ec2:DescribeSubnets",
   939              "ec2:DescribeVpcAttribute",
   940              "ec2:DescribeVpcEndpoints",
   941              "ec2:DescribeVpcEndpointServices",
   942              "ec2:DescribeVpcs",
   943              "ec2:DetachNetworkInterface",
   944              "ec2:ModifyImageAttribute",
   945              "ec2:ModifyInstanceAttribute",
   946              "ec2:RequestSpotInstances",
   947              "ec2:RevokeSecurityGroupEgress",
   948              "ec2:RunInstances",
   949              "ec2:TerminateInstances",
   950              "ec2:DeleteVolume",
   951              "ec2:DescribeVolumeStatus",
   952              "ec2:DescribeVolumes",
   953              "ec2:DetachVolume",
   954              "iam:GetRole",
   955              "iam:GetRolePolicy",
   956              "iam:ListInstanceProfiles",
   957              "iam:ListRolePolicies",
   958              "iam:PassRole",
   959              "s3:CreateBucket",
   960              "s3:Get*",
   961              "s3:List*",
   962              "sdb:BatchPutAttributes",
   963              "sdb:Select",
   964              "sqs:CreateQueue",
   965              "sqs:Delete*",
   966              "sqs:GetQueue*",
   967              "sqs:PurgeQueue",
   968              "sqs:ReceiveMessage"
   969          ]
   970      }]
   971  }
   972  EOT
   973  }
   974  
   975  # IAM Role for EC2 Instance Profile
   976  resource "aws_iam_role" "iam_emr_profile_role" {
   977    name = "iam_emr_profile_role_%d"
   978  
   979    assume_role_policy = <<EOT
   980  {
   981    "Version": "2008-10-17",
   982    "Statement": [
   983      {
   984        "Sid": "",
   985        "Effect": "Allow",
   986        "Principal": {
   987          "Service": "ec2.amazonaws.com"
   988        },
   989        "Action": "sts:AssumeRole"
   990      }
   991    ]
   992  }
   993  EOT
   994  }
   995  
   996  resource "aws_iam_instance_profile" "emr_profile" {
   997    name  = "emr_profile_%d"
   998    roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
   999  }
  1000  
  1001  resource "aws_iam_role_policy_attachment" "profile-attach" {
  1002    role       = "${aws_iam_role.iam_emr_profile_role.id}"
  1003    policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}"
  1004  }
  1005  
  1006  resource "aws_iam_policy" "iam_emr_profile_policy" {
  1007    name = "iam_emr_profile_policy_%d"
  1008  
  1009    policy = <<EOT
  1010  {
  1011      "Version": "2012-10-17",
  1012      "Statement": [{
  1013          "Effect": "Allow",
  1014          "Resource": "*",
  1015          "Action": [
  1016              "cloudwatch:*",
  1017              "dynamodb:*",
  1018              "ec2:Describe*",
  1019              "elasticmapreduce:Describe*",
  1020              "elasticmapreduce:ListBootstrapActions",
  1021              "elasticmapreduce:ListClusters",
  1022              "elasticmapreduce:ListInstanceGroups",
  1023              "elasticmapreduce:ListInstances",
  1024              "elasticmapreduce:ListSteps",
  1025              "kinesis:CreateStream",
  1026              "kinesis:DeleteStream",
  1027              "kinesis:DescribeStream",
  1028              "kinesis:GetRecords",
  1029              "kinesis:GetShardIterator",
  1030              "kinesis:MergeShards",
  1031              "kinesis:PutRecord",
  1032              "kinesis:SplitShard",
  1033              "rds:Describe*",
  1034              "s3:*",
  1035              "sdb:*",
  1036              "sns:*",
  1037              "sqs:*"
  1038          ]
  1039      }]
  1040  }
  1041  EOT
  1042  }
  1043  `, r, r, r, r, r, r)
  1044  }
  1045  
  1046  func testAccAWSEmrClusterConfigUpdatedTags(r int) string {
  1047  	return fmt.Sprintf(`
  1048  provider "aws" {
  1049    region = "us-west-2"
  1050  }
  1051  
  1052  resource "aws_emr_cluster" "tf-test-cluster" {
  1053    name          = "emr-test-%d"
  1054    release_label = "emr-4.6.0"
  1055    applications  = ["Spark"]
  1056  
  1057    ec2_attributes {
  1058      subnet_id                         = "${aws_subnet.main.id}"
  1059      emr_managed_master_security_group = "${aws_security_group.allow_all.id}"
  1060      emr_managed_slave_security_group  = "${aws_security_group.allow_all.id}"
  1061      instance_profile                  = "${aws_iam_instance_profile.emr_profile.arn}"
  1062    }
  1063  
  1064    master_instance_type = "m3.xlarge"
  1065    core_instance_type   = "m3.xlarge"
  1066    core_instance_count  = 1
  1067  
  1068    tags {
  1069      dns_zone = "new_zone"
  1070      Env      = "production"
  1071      name     = "name-env"
  1072    }
  1073  
  1074    keep_job_flow_alive_when_no_steps = true
  1075    termination_protection = false
  1076  
  1077    bootstrap_action {
  1078      path = "s3://elasticmapreduce/bootstrap-actions/run-if"
  1079      name = "runif"
  1080      args = ["instance.isMaster=true", "echo running on master node"]
  1081    }
  1082  
  1083    configurations = "test-fixtures/emr_configurations.json"
  1084  
  1085    depends_on = ["aws_main_route_table_association.a"]
  1086  
  1087    service_role = "${aws_iam_role.iam_emr_default_role.arn}"
  1088  }
  1089  
  1090  resource "aws_security_group" "allow_all" {
  1091    name        = "allow_all"
  1092    description = "Allow all inbound traffic"
  1093    vpc_id      = "${aws_vpc.main.id}"
  1094  
  1095    ingress {
  1096      from_port   = 0
  1097      to_port     = 0
  1098      protocol    = "-1"
  1099      cidr_blocks = ["0.0.0.0/0"]
  1100    }
  1101  
  1102    egress {
  1103      from_port   = 0
  1104      to_port     = 0
  1105      protocol    = "-1"
  1106      cidr_blocks = ["0.0.0.0/0"]
  1107    }
  1108  
  1109    depends_on = ["aws_subnet.main"]
  1110  
  1111    lifecycle {
  1112      ignore_changes = ["ingress", "egress"]
  1113    }
  1114  
  1115    tags {
  1116      name = "emr_test"
  1117    }
  1118  }
  1119  
  1120  resource "aws_vpc" "main" {
  1121    cidr_block           = "168.31.0.0/16"
  1122    enable_dns_hostnames = true
  1123  
  1124    tags {
  1125      name = "emr_test"
  1126    }
  1127  }
  1128  
  1129  resource "aws_subnet" "main" {
  1130    vpc_id     = "${aws_vpc.main.id}"
  1131    cidr_block = "168.31.0.0/20"
  1132  
  1133    tags {
  1134      name = "emr_test"
  1135    }
  1136  }
  1137  
  1138  resource "aws_internet_gateway" "gw" {
  1139    vpc_id = "${aws_vpc.main.id}"
  1140  }
  1141  
  1142  resource "aws_route_table" "r" {
  1143    vpc_id = "${aws_vpc.main.id}"
  1144  
  1145    route {
  1146      cidr_block = "0.0.0.0/0"
  1147      gateway_id = "${aws_internet_gateway.gw.id}"
  1148    }
  1149  }
  1150  
  1151  resource "aws_main_route_table_association" "a" {
  1152    vpc_id         = "${aws_vpc.main.id}"
  1153    route_table_id = "${aws_route_table.r.id}"
  1154  }
  1155  
  1156  ###
  1157  
  1158  # IAM things
  1159  
  1160  ###
  1161  
  1162  # IAM role for EMR Service
  1163  resource "aws_iam_role" "iam_emr_default_role" {
  1164    name = "iam_emr_default_role_%d"
  1165  
  1166    assume_role_policy = <<EOT
  1167  {
  1168    "Version": "2008-10-17",
  1169    "Statement": [
  1170      {
  1171        "Sid": "",
  1172        "Effect": "Allow",
  1173        "Principal": {
  1174          "Service": "elasticmapreduce.amazonaws.com"
  1175        },
  1176        "Action": "sts:AssumeRole"
  1177      }
  1178    ]
  1179  }
  1180  EOT
  1181  }
  1182  
  1183  resource "aws_iam_role_policy_attachment" "service-attach" {
  1184    role       = "${aws_iam_role.iam_emr_default_role.id}"
  1185    policy_arn = "${aws_iam_policy.iam_emr_default_policy.arn}"
  1186  }
  1187  
  1188  resource "aws_iam_policy" "iam_emr_default_policy" {
  1189    name = "iam_emr_default_policy_%d"
  1190  
  1191    policy = <<EOT
  1192  {
  1193      "Version": "2012-10-17",
  1194      "Statement": [{
  1195          "Effect": "Allow",
  1196          "Resource": "*",
  1197          "Action": [
  1198              "ec2:AuthorizeSecurityGroupEgress",
  1199              "ec2:AuthorizeSecurityGroupIngress",
  1200              "ec2:CancelSpotInstanceRequests",
  1201              "ec2:CreateNetworkInterface",
  1202              "ec2:CreateSecurityGroup",
  1203              "ec2:CreateTags",
  1204              "ec2:DeleteNetworkInterface",
  1205              "ec2:DeleteSecurityGroup",
  1206              "ec2:DeleteTags",
  1207              "ec2:DescribeAvailabilityZones",
  1208              "ec2:DescribeAccountAttributes",
  1209              "ec2:DescribeDhcpOptions",
  1210              "ec2:DescribeInstanceStatus",
  1211              "ec2:DescribeInstances",
  1212              "ec2:DescribeKeyPairs",
  1213              "ec2:DescribeNetworkAcls",
  1214              "ec2:DescribeNetworkInterfaces",
  1215              "ec2:DescribePrefixLists",
  1216              "ec2:DescribeRouteTables",
  1217              "ec2:DescribeSecurityGroups",
  1218              "ec2:DescribeSpotInstanceRequests",
  1219              "ec2:DescribeSpotPriceHistory",
  1220              "ec2:DescribeSubnets",
  1221              "ec2:DescribeVpcAttribute",
  1222              "ec2:DescribeVpcEndpoints",
  1223              "ec2:DescribeVpcEndpointServices",
  1224              "ec2:DescribeVpcs",
  1225              "ec2:DetachNetworkInterface",
  1226              "ec2:ModifyImageAttribute",
  1227              "ec2:ModifyInstanceAttribute",
  1228              "ec2:RequestSpotInstances",
  1229              "ec2:RevokeSecurityGroupEgress",
  1230              "ec2:RunInstances",
  1231              "ec2:TerminateInstances",
  1232              "ec2:DeleteVolume",
  1233              "ec2:DescribeVolumeStatus",
  1234              "ec2:DescribeVolumes",
  1235              "ec2:DetachVolume",
  1236              "iam:GetRole",
  1237              "iam:GetRolePolicy",
  1238              "iam:ListInstanceProfiles",
  1239              "iam:ListRolePolicies",
  1240              "iam:PassRole",
  1241              "s3:CreateBucket",
  1242              "s3:Get*",
  1243              "s3:List*",
  1244              "sdb:BatchPutAttributes",
  1245              "sdb:Select",
  1246              "sqs:CreateQueue",
  1247              "sqs:Delete*",
  1248              "sqs:GetQueue*",
  1249              "sqs:PurgeQueue",
  1250              "sqs:ReceiveMessage"
  1251          ]
  1252      }]
  1253  }
  1254  EOT
  1255  }
  1256  
  1257  # IAM Role for EC2 Instance Profile
  1258  resource "aws_iam_role" "iam_emr_profile_role" {
  1259    name = "iam_emr_profile_role_%d"
  1260  
  1261    assume_role_policy = <<EOT
  1262  {
  1263    "Version": "2008-10-17",
  1264    "Statement": [
  1265      {
  1266        "Sid": "",
  1267        "Effect": "Allow",
  1268        "Principal": {
  1269          "Service": "ec2.amazonaws.com"
  1270        },
  1271        "Action": "sts:AssumeRole"
  1272      }
  1273    ]
  1274  }
  1275  EOT
  1276  }
  1277  
  1278  resource "aws_iam_instance_profile" "emr_profile" {
  1279    name  = "emr_profile_%d"
  1280    roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
  1281  }
  1282  
  1283  resource "aws_iam_role_policy_attachment" "profile-attach" {
  1284    role       = "${aws_iam_role.iam_emr_profile_role.id}"
  1285    policy_arn = "${aws_iam_policy.iam_emr_profile_policy.arn}"
  1286  }
  1287  
  1288  resource "aws_iam_policy" "iam_emr_profile_policy" {
  1289    name = "iam_emr_profile_policy_%d"
  1290  
  1291    policy = <<EOT
  1292  {
  1293      "Version": "2012-10-17",
  1294      "Statement": [{
  1295          "Effect": "Allow",
  1296          "Resource": "*",
  1297          "Action": [
  1298              "cloudwatch:*",
  1299              "dynamodb:*",
  1300              "ec2:Describe*",
  1301              "elasticmapreduce:Describe*",
  1302              "elasticmapreduce:ListBootstrapActions",
  1303              "elasticmapreduce:ListClusters",
  1304              "elasticmapreduce:ListInstanceGroups",
  1305              "elasticmapreduce:ListInstances",
  1306              "elasticmapreduce:ListSteps",
  1307              "kinesis:CreateStream",
  1308              "kinesis:DeleteStream",
  1309              "kinesis:DescribeStream",
  1310              "kinesis:GetRecords",
  1311              "kinesis:GetShardIterator",
  1312              "kinesis:MergeShards",
  1313              "kinesis:PutRecord",
  1314              "kinesis:SplitShard",
  1315              "rds:Describe*",
  1316              "s3:*",
  1317              "sdb:*",
  1318              "sns:*",
  1319              "sqs:*"
  1320          ]
  1321      }]
  1322  }
  1323  EOT
  1324  }
  1325  `, r, r, r, r, r, r)
  1326  }