New AWS resource `ssm_activation` (#9111)

Adding a new resource to support activation of managed instances for
on-premise virtual-machines.
This commit is contained in:
Liam Bennett 2016-10-28 10:59:12 +01:00 committed by Paul Stack
parent 3500630243
commit 8fee7642a9
4 changed files with 365 additions and 0 deletions

View File

@ -332,6 +332,7 @@ func Provider() terraform.ResourceProvider {
"aws_security_group": resourceAwsSecurityGroup(), "aws_security_group": resourceAwsSecurityGroup(),
"aws_security_group_rule": resourceAwsSecurityGroupRule(), "aws_security_group_rule": resourceAwsSecurityGroupRule(),
"aws_simpledb_domain": resourceAwsSimpleDBDomain(), "aws_simpledb_domain": resourceAwsSimpleDBDomain(),
"aws_ssm_activation": resourceAwsSsmActivation(),
"aws_ssm_association": resourceAwsSsmAssociation(), "aws_ssm_association": resourceAwsSsmAssociation(),
"aws_ssm_document": resourceAwsSsmDocument(), "aws_ssm_document": resourceAwsSsmDocument(),
"aws_spot_datafeed_subscription": resourceAwsSpotDataFeedSubscription(), "aws_spot_datafeed_subscription": resourceAwsSpotDataFeedSubscription(),

View File

@ -0,0 +1,168 @@
package aws
import (
"fmt"
"log"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsSsmActivation() *schema.Resource {
return &schema.Resource{
Create: resourceAwsSsmActivationCreate,
Read: resourceAwsSsmActivationRead,
Delete: resourceAwsSsmActivationDelete,
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"description": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"expired": &schema.Schema{
Type: schema.TypeString,
Computed: true,
},
"expiration_date": &schema.Schema{
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"iam_role": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"registration_limit": &schema.Schema{
Type: schema.TypeInt,
Optional: true,
ForceNew: true,
},
"registration_count": &schema.Schema{
Type: schema.TypeInt,
Computed: true,
},
},
}
}
func resourceAwsSsmActivationCreate(d *schema.ResourceData, meta interface{}) error {
ssmconn := meta.(*AWSClient).ssmconn
log.Printf("[DEBUG] SSM activation create: %s", d.Id())
activationInput := &ssm.CreateActivationInput{
IamRole: aws.String(d.Get("name").(string)),
}
if _, ok := d.GetOk("name"); ok {
activationInput.DefaultInstanceName = aws.String(d.Get("name").(string))
}
if _, ok := d.GetOk("description"); ok {
activationInput.Description = aws.String(d.Get("description").(string))
}
if _, ok := d.GetOk("expiration_date"); ok {
activationInput.ExpirationDate = aws.Time(d.Get("expiration_date").(time.Time))
}
if _, ok := d.GetOk("iam_role"); ok {
activationInput.IamRole = aws.String(d.Get("iam_role").(string))
}
if _, ok := d.GetOk("registration_limit"); ok {
activationInput.RegistrationLimit = aws.Int64(int64(d.Get("registration_limit").(int)))
}
// Retry to allow iam_role to be created and policy attachment to take place
var resp *ssm.CreateActivationOutput
err := resource.Retry(30*time.Second, func() *resource.RetryError {
var err error
resp, err = ssmconn.CreateActivation(activationInput)
if err != nil {
return resource.RetryableError(err)
}
return resource.NonRetryableError(err)
})
if err != nil {
return errwrap.Wrapf("[ERROR] Error creating SSM activation: {{err}}", err)
}
if resp.ActivationId == nil {
return fmt.Errorf("[ERROR] ActivationId was nil")
}
d.SetId(*resp.ActivationId)
return resourceAwsSsmActivationRead(d, meta)
}
func resourceAwsSsmActivationRead(d *schema.ResourceData, meta interface{}) error {
ssmconn := meta.(*AWSClient).ssmconn
log.Printf("[DEBUG] Reading SSM Activation: %s", d.Id())
params := &ssm.DescribeActivationsInput{
Filters: []*ssm.DescribeActivationsFilter{
{
FilterKey: aws.String("ActivationIds"),
FilterValues: []*string{
aws.String(d.Id()),
},
},
},
MaxResults: aws.Int64(1),
}
resp, err := ssmconn.DescribeActivations(params)
if err != nil {
return errwrap.Wrapf("[ERROR] Error reading SSM activation: {{err}}", err)
}
if resp.ActivationList == nil || len(resp.ActivationList) == 0 {
return fmt.Errorf("[ERROR] ActivationList was nil or empty")
}
activation := resp.ActivationList[0] // Only 1 result as MaxResults is 1 above
d.Set("name", activation.DefaultInstanceName)
d.Set("description", activation.Description)
d.Set("expiration_date", activation.ExpirationDate)
d.Set("expired", activation.Expired)
d.Set("iam_role", activation.IamRole)
d.Set("registration_limit", activation.RegistrationLimit)
d.Set("registration_count", activation.RegistrationsCount)
return nil
}
func resourceAwsSsmActivationDelete(d *schema.ResourceData, meta interface{}) error {
ssmconn := meta.(*AWSClient).ssmconn
log.Printf("[DEBUG] Deleting SSM Activation: %s", d.Id())
params := &ssm.DeleteActivationInput{
ActivationId: aws.String(d.Id()),
}
_, err := ssmconn.DeleteActivation(params)
if err != nil {
return errwrap.Wrapf("[ERROR] Error deleting SSM activation: {{err}}", err)
}
return nil
}

View File

@ -0,0 +1,131 @@
package aws
import (
"fmt"
"testing"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/hashicorp/terraform/helper/acctest"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestAccAWSSSMActivation_basic(t *testing.T) {
name := acctest.RandString(10)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSSSMActivationDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSSSMActivationBasicConfig(name),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSSSMActivationExists("aws_ssm_activation.foo"),
),
},
},
})
}
func testAccCheckAWSSSMActivationExists(n string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
if rs.Primary.ID == "" {
return fmt.Errorf("No SSM Activation ID is set")
}
conn := testAccProvider.Meta().(*AWSClient).ssmconn
_, err := conn.DescribeActivations(&ssm.DescribeActivationsInput{
Filters: []*ssm.DescribeActivationsFilter{
{
FilterKey: aws.String("ActivationIds"),
FilterValues: []*string{
aws.String(rs.Primary.ID),
},
},
},
MaxResults: aws.Int64(1),
})
if err != nil {
return fmt.Errorf("Could not descripbe the activation - %s", err)
}
return nil
}
}
func testAccCheckAWSSSMActivationDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).ssmconn
for _, rs := range s.RootModule().Resources {
if rs.Type != "aws_ssm_activation" {
continue
}
out, err := conn.DescribeActivations(&ssm.DescribeActivationsInput{
Filters: []*ssm.DescribeActivationsFilter{
{
FilterKey: aws.String("ActivationIds"),
FilterValues: []*string{
aws.String(rs.Primary.ID),
},
},
},
MaxResults: aws.Int64(1),
})
if err != nil {
return err
}
if len(out.ActivationList) > 0 {
return fmt.Errorf("Expected AWS SSM Activation to be gone, but was still found")
}
return nil
}
return fmt.Errorf("Default error in SSM Activation Test")
}
func testAccAWSSSMActivationBasicConfig(rName string) string {
return fmt.Sprintf(`
resource "aws_iam_role" "test_role" {
name = "test_role-%s"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test_attach" {
role = "${aws_iam_role.test_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
resource "aws_ssm_activation" "foo" {
name = "test_ssm_activation-%s",
description = "Test"
iam_role = "${aws_iam_role.test_role.name}"
registration_limit = "5"
depends_on = ["aws_iam_role_policy_attachment.test_attach"]
}
`, rName, rName)
}

View File

@ -0,0 +1,65 @@
---
layout: "aws"
page_title: "AWS: aws_ssm_activation"
sidebar_current: "docs-aws-resource-ssm-activation"
description: |-
Registers an on-premises server or virtual machine with Amazon EC2 so that it can be managed using Run Command.
---
# aws\_ssm\_activation
Registers an on-premises server or virtual machine with Amazon EC2 so that it can be managed using Run Command.
## Example Usage
```
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ssm.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
EOF
}
resource "aws_iam_role_policy_attachment" "test_attach" {
role = "${aws_iam_role.test_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
resource "aws_ssm_activation" "foo" {
name = "test_ssm_activation",
description = "Test"
iam_role = "${aws_iam_role.test_role.id}"
registration_limit = "5"
depends_on = ["aws_iam_role_policy_attachment.test_attach"]
}
```
## Argument Reference
The following arguments are supported:
* `name` - (Optional) The default name of the registerd managed instance.
* `description` - (Optional) The description of the resource that you want to register.
* `expiration_date` - (Optional) The date by which this activation request should expire. The default value is 24 hours.
* `iam_role` - (Required) The IAM Role to attach to the managed instance.
* `registration_limit` - (Optional) The maximum number of managed instances you want to register. The default value is 1 instance.
## Attributes Reference
The following attributes are exported:
* `name` - The default name of the registerd managed instance.
* `description` - The description of the resource that was registered.
* `expired` - If the current activation has expired.
* `expiration_date` - The date by which this activation request should expire. The default value is 24 hours.
* `iam_role` - The IAM Role attached to the managed instance.
* `registration_limit` - The maximum number of managed instances you want to be registered. The default value is 1 instance.
* `registration_count` - The number of managed instances that are currently registered using this activation.