Skip to content

Commit

Permalink
Fix getExecutionRolePolicyARN() in regcreds
Browse files Browse the repository at this point in the history
  • Loading branch information
allisaurus committed Feb 7, 2019
1 parent 0fc9450 commit be660fb
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 1 deletion.
81 changes: 81 additions & 0 deletions ecs-cli/modules/cli/regcreds/create_task_execution_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (

"github.com/aws/amazon-ecs-cli/ecs-cli/modules/utils/regcredio"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/arn"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/golang/mock/gomock"
Expand Down Expand Up @@ -63,6 +64,86 @@ func TestCreateTaskExecutionRole(t *testing.T) {
assert.NotNil(t, policyCreateTime, "Expected policy create time to be non-nil")
}

func TestCreateTaskExecutionRole_CnPartition(t *testing.T) {
testRegistry := "myreg.test.io"
testRegCredARN := "arn:aws-cn:secret/some-test-arn"
testCreds := map[string]regcredio.CredsOutputEntry{
testRegistry: regcredio.BuildOutputEntry(testRegCredARN, "", []string{""}),
}
testRoleName := "myNginxProjectRole"

testPolicyArn := aws.String("arn:aws-cn:iam::policy/" + testRoleName + "-policy")
testRoleArn := aws.String("arn:aws-cn:iam::role/" + testRoleName)

expectedManagedPolicyARN := arn.ARN{
Service: "iam",
Resource: "policy/service-role/AmazonECSTaskExecutionRolePolicy",
AccountID: "aws",
Partition: "aws-cn", // Expected CN Partition
}

mocks := setupTestController(t)
gomock.InOrder(
mocks.MockIAM.EXPECT().CreateOrFindRole(testRoleName, roleDescriptionString, assumeRolePolicyDocString).Return(*testRoleArn, nil),
mocks.MockIAM.EXPECT().CreateRole(gomock.Any()).Return(&iam.CreateRoleOutput{Role: &iam.Role{Arn: testRoleArn}}, nil),
)
gomock.InOrder(
mocks.MockIAM.EXPECT().CreatePolicy(gomock.Any()).Return(&iam.CreatePolicyOutput{Policy: &iam.Policy{Arn: testPolicyArn}}, nil),
mocks.MockIAM.EXPECT().AttachRolePolicy(expectedManagedPolicyARN.String(), testRoleName).Return(nil, nil), // FAIL?
mocks.MockIAM.EXPECT().AttachRolePolicy(*testPolicyArn, testRoleName).Return(nil, nil),
)

testParams := executionRoleParams{
CredEntries: testCreds,
RoleName: testRoleName,
Region: "cn-north-1",
}

policyCreateTime, err := createTaskExecutionRole(testParams, mocks.MockIAM, mocks.MockKMS)
assert.NoError(t, err, "Unexpected error when creating task execution role")
assert.NotNil(t, policyCreateTime, "Expected policy create time to be non-nil")
}

func TestCreateTaskExecutionRole_UsGovPartition(t *testing.T) {
testRegistry := "myreg.test.io"
testRegCredARN := "arn:aws-us-gov:secret/some-test-arn"
testCreds := map[string]regcredio.CredsOutputEntry{
testRegistry: regcredio.BuildOutputEntry(testRegCredARN, "", []string{""}),
}
testRoleName := "myNginxProjectRole"

testPolicyArn := aws.String("arn:aws-us-gov:iam::policy/" + testRoleName + "-policy")
testRoleArn := aws.String("arn:aws-us-gov:iam::role/" + testRoleName)

expectedManagedPolicyARN := arn.ARN{
Service: "iam",
Resource: "policy/service-role/AmazonECSTaskExecutionRolePolicy",
AccountID: "aws",
Partition: "aws-us-gov", // Expected us-gov Partition
}

mocks := setupTestController(t)
gomock.InOrder(
mocks.MockIAM.EXPECT().CreateOrFindRole(testRoleName, roleDescriptionString, assumeRolePolicyDocString).Return(*testRoleArn, nil),
mocks.MockIAM.EXPECT().CreateRole(gomock.Any()).Return(&iam.CreateRoleOutput{Role: &iam.Role{Arn: testRoleArn}}, nil),
)
gomock.InOrder(
mocks.MockIAM.EXPECT().CreatePolicy(gomock.Any()).Return(&iam.CreatePolicyOutput{Policy: &iam.Policy{Arn: testPolicyArn}}, nil),
mocks.MockIAM.EXPECT().AttachRolePolicy(expectedManagedPolicyARN.String(), testRoleName).Return(nil, nil), // FAIL?
mocks.MockIAM.EXPECT().AttachRolePolicy(*testPolicyArn, testRoleName).Return(nil, nil),
)

testParams := executionRoleParams{
CredEntries: testCreds,
RoleName: testRoleName,
Region: "us-gov-west-1",
}

policyCreateTime, err := createTaskExecutionRole(testParams, mocks.MockIAM, mocks.MockKMS)
assert.NoError(t, err, "Unexpected error when creating task execution role")
assert.NotNil(t, policyCreateTime, "Expected policy create time to be non-nil")
}

func TestCreateTaskExecutionRole_NoKMSKey(t *testing.T) {
testRegistry := "myreg.test.io"
testRegCredARN := "arn:aws:secret/some-test-arn"
Expand Down
3 changes: 2 additions & 1 deletion ecs-cli/modules/cli/regcreds/regcreds_app_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,13 @@ func getExecutionRolePolicyARN(region string) string {
AccountID: "aws",
}

// TODO: use utils.GetPartition func once merged
if regionToPartition[region] != "" {
expectedARN.Partition = regionToPartition[region]
return expectedARN.String()
}

expectedARN.Partition = "aws"

return expectedARN.String()
}

Expand Down

0 comments on commit be660fb

Please sign in to comment.