-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource/aws_ssm_document: Update SSM Document Permission Updates to Clear Permission Before Updating #5685
resource/aws_ssm_document: Update SSM Document Permission Updates to Clear Permission Before Updating #5685
Conversation
aws/resource_aws_ssm_document.go
Outdated
// Since AccountIdsToRemove has higher priority than AccountIdsToAdd, | ||
// we update permissions in two steps: we remove all existing permissions | ||
// before adding new permissions. | ||
o, _ := d.GetChange("permissions") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like we should be performing a difference against the old and new permissions so updates do not intentionally create "downtime", especially if the second ModifyDocumentPermission
API call fails.
I would recommend setting this up using something like the below which should perform this update in one API call (in pseudo-code):
if d.HasChange("permissions") {
o, n := d.GetChange("permissions")
oldPermissions := o.(map[string]interface{})
newPermissions := n.(map[string]interface{})
oldPermissionsAccountIds := make([]string, 0)
if v, ok := oldPermissions["account_ids"]; ok && v.(string) != "" {
oldPermissionsAccountIds = strings.Split(v.(string), ",")
}
newPermissionsAccountIds := make([]string, 0)
if v, ok := newPermissions["account_ids"]; ok && v.(string) != "" {
newPermissionsAccountIds = strings.Split(v.(string), ",")
}
accountIdsToRemove := make([]string, 0)
for _, oldPermissionsAccountId := range oldPermissionsAccountIds {
if _, contains := sliceContainsString(newPermissionsAccountIds, oldPermissionsAccountId); !contains {
accountIdsToRemove = append(accountIdsToRemove, oldPermissionsAccountId)
}
}
accountIdsToAdd := make([]string, 0)
for _, newPermissionsAccountId := range newPermissionsAccountIds {
if _, contains := sliceContainsString(oldPermissionsAccountIds, newPermissionsAccountId); !contains {
accountIdsToAdd = append(accountIdsToAdd, newPermissionsAccountId)
}
}
input := &ssm.ModifyDocumentPermissionInput{
Name: aws.String(d.Get("name").(string)),
PermissionType: aws.String("Share"),
AccountIdsToAdd: aws.StringSlice(accountIdsToAdd),
AccountIdsToRemove: aws.StringSlice(accountIdsToRemove),
}
log.Printf("[DEBUG] Modifying SSM document permissions: %s", input)
_, err := ssmconn.ModifyDocumentPermission(input)
if err != nil {
return fmt.Errorf("error modifying SSM document permissions: %s", err)
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @brandonstevens 👋 Thanks for submitting this. I left some initial feedback below. Can you please take a look and let us know if you have any questions or do not have time to implement?
aws/resource_aws_ssm_document.go
Outdated
_, err := ssmconn.ModifyDocumentPermission(permClearInput) | ||
|
||
if err != nil { | ||
return errwrap.Wrapf("[ERROR] Error removing permissions for SSM document: {{err}}", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: Regardless of other changes, we prefer fmt.Errorf()
over errwrap.Wrapf()
as we do not need the complexity introduced by errwrap
when returning simple error messages. We are trying to clean this up across the codebase. 😄
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccAWSSSMDocumentPrivatePermissionConfig(name, initial_ids), | ||
Check: resource.ComposeTestCheckFunc( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check should verify the value of the account IDs either via resource.TestCheckResourceAttr("aws_ssm_document.foo", "permissions.account_ids", initialIds),
or writing a new testAccCheck
function that verifies it from the API.
"aws_ssm_document.foo", "permissions.type", "Share"), | ||
), | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have another TestStep that adds IDs and verifies they were updated. 👍
@@ -108,6 +108,35 @@ func TestAccAWSSSMDocument_permission_private(t *testing.T) { | |||
}) | |||
} | |||
|
|||
func TestAccAWSSSMDocument_permission_change(t *testing.T) { | |||
name := acctest.RandString(10) | |||
initial_ids := "123456789012,123456789013" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: Go styling recommends camelCase naming instead of underscores.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @brandonstevens! 🚀
9 tests passed (all tests)
--- PASS: TestAccAWSSSMDocument_basic (11.08s)
--- PASS: TestAccAWSSSMDocument_update (15.30s)
--- PASS: TestAccAWSSSMDocument_params (17.94s)
--- PASS: TestAccAWSSSMDocument_automation (21.10s)
--- PASS: TestAccAWSSSMDocument_permission_private (27.91s)
--- PASS: TestAccAWSSSMDocument_DocumentFormat_YAML (28.49s)
--- PASS: TestAccAWSSSMDocument_permission_change (31.82s)
--- PASS: TestAccAWSSSMDocument_Tags (34.76s)
--- PASS: TestAccAWSSSMDocument_permission_public (55.92s)
This has been released in version 1.34.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Reference: #5308
Changes proposed in this pull request:
Output from acceptance testing: