Adds domain and domain-iam-role-name parameters to resource aws_db_in…

…stance. This commit adds the domain related parameters to allow aws_db_instances to be joined to a Directory Services Active Directory domain. The original work to add the parameters was merged from mwalkera125 in #5226. Subsequent changes added acceptance tests and documentation for the new arguments and attributes. Co-authored-by: Mike Walker <[email protected]> Co-authored-by: Matthew Burtless <[email protected]>
hashicorp · Jul 30, 2018 · 2ad8d53 · 2ad8d53
2 parents 23aa87f + e7806b1
commit 2ad8d53
Show file tree

Hide file tree

Showing 3 changed files with 178 additions and 0 deletions.
diff --git a/aws/resource_aws_db_instance.go b/aws/resource_aws_db_instance.go
@@ -404,6 +404,18 @@ func resourceAwsDbInstance() *schema.Resource {
 				},
 			},
 
+			"domain": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+
+			"domain_iam_role_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -891,6 +903,14 @@ func resourceAwsDbInstanceCreate(d *schema.ResourceData, meta interface{}) error
 			opts.EnableIAMDatabaseAuthentication = aws.Bool(attr.(bool))
 		}
 
+		if attr, ok := d.GetOk("domain"); ok {
+			opts.Domain = aws.String(attr.(string))
+		}
+
+		if attr, ok := d.GetOk("domain_iam_role_name"); ok {
+			opts.DomainIAMRoleName = aws.String(attr.(string))
+		}
+
 		log.Printf("[DEBUG] DB Instance create configuration: %#v", opts)
 		var err error
 		err = resource.Retry(5*time.Minute, func() *resource.RetryError {
@@ -1012,6 +1032,11 @@ func resourceAwsDbInstanceRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error setting enabled_cloudwatch_logs_exports: %s", err)
 	}
 
+	if v.DomainMemberships != nil {
+		d.Set("domain", v.DomainMemberships[0].Domain)
+		d.Set("domain_iam_role_name", v.DomainMemberships[0].IAMRoleName)
+	}
+
 	// list tags for resource
 	// set tags
 	conn := meta.(*AWSClient).rdsconn
@@ -1262,6 +1287,18 @@ func resourceAwsDbInstanceUpdate(d *schema.ResourceData, meta interface{}) error
 		requestUpdate = true
 	}
 
+	if d.HasChange("domain") && !d.IsNewResource() {
+		d.SetPartial("domain")
+		req.Domain = aws.String(d.Get("domain").(string))
+		requestUpdate = true
+	}
+
+	if d.HasChange("domain_iam_role_name") && !d.IsNewResource() {
+		d.SetPartial("domain_iam_role_name")
+		req.DomainIAMRoleName = aws.String(d.Get("domain_iam_role_name").(string))
+		requestUpdate = true
+	}
+
 	log.Printf("[DEBUG] Send DB Instance Modification request: %t", requestUpdate)
 	if requestUpdate {
 		log.Printf("[DEBUG] DB Instance Modification request: %s", req)

diff --git a/aws/resource_aws_db_instance_test.go b/aws/resource_aws_db_instance_test.go
@@ -459,6 +459,33 @@ func TestAccAWSDBInstance_MSSQL_TZ(t *testing.T) {
 	})
 }
 
+func TestAccAWSDBInstance_MSSQL_Domain(t *testing.T) {
+	var v rds.DBInstance
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSDBInstanceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDBMSSQL_domain(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSDBInstanceExists("aws_db_instance.mssql", &v),
+					resource.TestCheckResourceAttrSet(
+						"aws_db_instance.mssql", "domain"),
+					resource.TestCheckResourceAttrSet(
+						"aws_db_instance.mssql", "domain_iam_role_name"),
+					resource.TestCheckResourceAttr(
+						"aws_db_instance.mssql", "allocated_storage", "20"),
+					resource.TestCheckResourceAttr(
+						"aws_db_instance.mssql", "engine", "sqlserver-ex"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSDBInstance_MinorVersion(t *testing.T) {
 	var v rds.DBInstance
 
@@ -1633,6 +1660,116 @@ resource "aws_security_group_rule" "rds-mssql-1" {
 `, rInt, rInt, rInt)
 }
 
+func testAccAWSDBMSSQL_domain(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "foo" {
+  cidr_block           = "10.1.0.0/16"
+  enable_dns_hostnames = true
+  tags {
+    Name = "terraform-testacc-db-instance-mssql-domain"
+  }
+}
+
+resource "aws_db_subnet_group" "rds_one" {
+  name        = "tf_acc_test_%d"
+  description = "db subnets for rds_one"
+
+  subnet_ids = ["${aws_subnet.main.id}", "${aws_subnet.other.id}"]
+}
+
+resource "aws_subnet" "main" {
+  vpc_id            = "${aws_vpc.foo.id}"
+  availability_zone = "us-west-2a"
+  cidr_block        = "10.1.1.0/24"
+  tags {
+    Name = "tf-acc-db-instance-mssql-domain-main"
+  }
+}
+
+resource "aws_subnet" "other" {
+  vpc_id            = "${aws_vpc.foo.id}"
+  availability_zone = "us-west-2b"
+  cidr_block        = "10.1.2.0/24"
+  tags {
+    Name = "tf-acc-db-instance-mssql-domain-other"
+  }
+}
+
+resource "aws_db_instance" "mssql" {
+  identifier = "tf-test-mssql-%d"
+
+  db_subnet_group_name = "${aws_db_subnet_group.rds_one.name}"
+
+  instance_class          = "db.t2.micro"
+  allocated_storage       = 20
+  username                = "somecrazyusername"
+  password                = "somecrazypassword"
+  engine                  = "sqlserver-ex"
+  backup_retention_period = 0
+  skip_final_snapshot = true
+
+  domain                  = "${aws_directory_service_directory.directory.id}"
+  domain_iam_role_name    = "${aws_iam_role.role.name}"
+
+  vpc_security_group_ids = ["${aws_security_group.rds-mssql.id}"]
+}
+
+resource "aws_security_group" "rds-mssql" {
+  name = "tf-rds-mssql-test-%d"
+
+  description = "TF Testing"
+  vpc_id      = "${aws_vpc.foo.id}"
+}
+
+resource "aws_security_group_rule" "rds-mssql-1" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.rds-mssql.id}"
+}
+
+resource "aws_directory_service_directory" "directory" {
+  name     = "corp.somedomain.com"
+  password = "SuperSecretPassw0rd"
+  type     = "MicrosoftAD"
+  edition  = "Standard"
+  
+  vpc_settings {
+    vpc_id     = "${aws_vpc.foo.id}"
+    subnet_ids = ["${aws_subnet.main.id}", "${aws_subnet.other.id}"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name = "tf-acc-db-instance-mssql-domain-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "rds.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "attatch-policy" {
+  role       = "${aws_iam_role.role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess"
+}
+`, rInt, rInt, rInt)
+}
+
 var testAccAWSDBInstanceConfigAutoMinorVersion = fmt.Sprintf(`
 resource "aws_db_instance" "bar" {
   identifier = "foobarbaz-test-terraform-%d"

diff --git a/website/docs/r/db_instance.html.markdown b/website/docs/r/db_instance.html.markdown
@@ -91,6 +91,8 @@ with read replicas, it needs to be specified only if the source database
 specifies an instance in another AWS Region. See [DBSubnetGroupName in API
 action CreateDBInstanceReadReplica](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstanceReadReplica.html)
 for additonal read replica contraints.
+* `domain` - (Optional) The ID of the Directory Service Active Directory domain to create the instance in.
+* `domain_iam_role_name` - (Optional, but required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service.
 * `enabled_cloudwatch_logs_exports` - (Optional) Name list of enable log type for exporting to cloudwatch logs. If omitted, any logs will not be exported to cloudwatch logs.
    Either of the following is supported: `audit`, `error`, `general`, `slowquery`.
 * `engine` - (Required unless a `snapshot_identifier` or `replicate_source_db`
@@ -239,6 +241,8 @@ In addition to all arguments above, the following attributes are exported:
 * `backup_window` - The backup window.
 * `ca_cert_identifier` - Specifies the identifier of the CA certificate for the
 DB instance.
+* `domain` - The ID of the Directory Service Active Directory domain the instance is joined to
+* `domain_iam_role_name` - The name of the IAM role to be used when making API calls to the Directory Service.
 * `endpoint` - The connection endpoint.
 * `engine` - The database engine.
 * `engine_version` - The database engine version.