Add valid iamroleId for cfn tests

outcomes-winter-rakhulsprakash · outcomes-winter-rakhulsprakash · commit 1df1eb84a991 · 2026-02-06T21:27:34.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -48,3 +48,8 @@ CLAUDE.md
 
 # generated markdown file with resource versions, will not be commited until we have mechanism to keep updated
 cfn-resources/resource-versions.md
+
+# dynamically generated test policy files (not templates)
+**/test/trust-policy.json
+**/test/s3-policy.json
+**/test/add-policy.json
diff --git a/cfn-resources/log-integration/test/cfn-test-create-inputs.sh b/cfn-resources/log-integration/test/cfn-test-create-inputs.sh
@@ -2,35 +2,45 @@
 # cfn-test-create-inputs.sh
 #
 # This tool generates json files in the inputs/ for `cfn test`.
+# It creates all required AWS resources (S3 bucket, IAM role, Cloud Provider Access role)
 #
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
 function usage {
-	echo "usage:$0 <project_name> <bucket_name> <iam_role_id>"
-	echo "Generates test input files for log integration"
+	echo "usage: $0 <project_name>"
+	echo "Creates S3 bucket, Cloud Provider Access role, IAM role, and generates test input files for log integration"
 	exit 0
 }
 
-if [ "$#" -ne 3 ]; then usage; fi
+if [ "$#" -ne 1 ]; then usage; fi
 if [[ "$*" == help ]]; then usage; fi
 
-rm -rf inputs
-mkdir inputs
+region=$AWS_DEFAULT_REGION
+awsRegion=$AWS_DEFAULT_REGION
+if [ -z "$region" ]; then
+	region=$(aws configure get region)
+	awsRegion=$region
+fi
+
+regionFormatted=$(echo "$region" | sed -e "s/-/_/g" | tr '[:lower:]' '[:upper:]')
+echo "Using region: $region (formatted: $regionFormatted)"
+
+roleName="mongodb-atlas-logs-role-${regionFormatted}"
+policyName="atlas-logs-s3-policy-${regionFormatted}"
+bucketTag="${CFN_TEST_TAG:-$(date +%Y%m%d%H%M%S)}"
+bucketName="mongodb-atlas-cfn-test-logs-${bucketTag}"
 
-#set profile - relevant for contract tests which define a custom profile
+echo "Bucket name: ${bucketName}"
 profile="default"
 if [ ${MONGODB_ATLAS_PROFILE+x} ]; then
 	echo "profile set to ${MONGODB_ATLAS_PROFILE}"
 	profile=${MONGODB_ATLAS_PROFILE}
 fi
 
 projectName="${1}"
-bucketName="${2}"
-iamRoleId="${3}"
-
 projectId=$(atlas projects list --output json | jq --arg NAME "${projectName}" -r '.results[] | select(.name==$NAME) | .id')
 if [ -z "$projectId" ]; then
 	projectId=$(atlas projects create "${projectName}" --output=json | jq -r '.id')
@@ -39,16 +49,72 @@ else
 	echo -e "FOUND project \"${projectName}\" with id: ${projectId}\n"
 fi
 
-echo "bucketName: $bucketName"
-echo "iamRoleId: $iamRoleId"
+echo "--------------------------------Creating Cloud Provider Access Role----------------------------"
+roleID=$(atlas cloudProviders accessRoles aws create --projectId "${projectId}" --output json | jq -r '.roleId')
+echo "--------------------------------Mongo CLI Role creation ends----------------------------"
+
+atlasAWSAccountArn=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] | select(.roleId == $roleID) | .atlasAWSAccountArn')
+atlasAssumedRoleExternalId=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] | select(.roleId == $roleID) | .atlasAssumedRoleExternalId')
+
+jq --arg atlasAssumedRoleExternalId "$atlasAssumedRoleExternalId" \
+	--arg atlasAWSAccountArn "$atlasAWSAccountArn" \
+	'.Statement[0].Principal.AWS = $atlasAWSAccountArn | .Statement[0].Condition.StringEquals["sts:ExternalId"] = $atlasAssumedRoleExternalId' \
+	"$(dirname "$0")/role-policy-template.json" >"$(dirname "$0")/trust-policy.json"
+echo "--------------------------------AWS Role creation starts----------------------------"
+awsRoleID=$(aws iam get-role --role-name "${roleName}" 2>/dev/null | jq -r '.Role.RoleId' || echo "")
+if [ -z "$awsRoleID" ]; then
+	awsRoleID=$(aws iam create-role \
+		--role-name "${roleName}" \
+		--assume-role-policy-document "file://$(dirname "$0")/trust-policy.json" | jq -r '.Role.RoleId')
+	echo -e "No role found, hence creating the role. Created id: ${awsRoleID}\n"
+else
+	aws iam delete-role-policy --role-name "${roleName}" --policy-name "${policyName}" 2>/dev/null || true
+	aws iam delete-role --role-name "${roleName}"
+	awsRoleID=$(aws iam create-role \
+		--role-name "${roleName}" \
+		--assume-role-policy-document "file://$(dirname "$0")/trust-policy.json" | jq -r '.Role.RoleId')
+	echo -e "FOUND role id, deleted and recreated with new trust policy. Created id: ${awsRoleID}\n"
+fi
+echo "--------------------------------AWS Role creation ends----------------------------"
+
+awsRoleArn=$(aws iam get-role --role-name "${roleName}" | jq -r '.Role.Arn')
+
+echo "--------------------------------Creating S3 Bucket----------------------------"
+if aws s3 ls "s3://${bucketName}" 2>/dev/null; then
+	aws s3 rb "s3://${bucketName}" --force
+fi
+aws s3 mb "s3://${bucketName}" --region "${awsRegion}"
+echo "Created S3 bucket: ${bucketName}"
+echo "--------------------------------Attaching S3 policy to IAM role----------------------------"
+bucketArn="arn:aws:s3:::${bucketName}"
+jq --arg bucketArn "$bucketArn" \
+	--arg bucketArnWildcard "${bucketArn}/*" \
+	'.Statement[0].Resource[0] = $bucketArn | .Statement[0].Resource[1] = $bucketArnWildcard' \
+	"$(dirname "$0")/s3-policy-template.json" >"$(dirname "$0")/s3-policy.json"
+
+aws iam put-role-policy \
+	--role-name "${roleName}" \
+	--policy-name "${policyName}" \
+	--policy-document "file://$(dirname "$0")/s3-policy.json"
+echo "--------------------------------attach mongodb Role to AWS Role ends----------------------------"
+
+# shellcheck disable=SC2086
+sleep 30
+
+atlas cloudProviders accessRoles aws authorize "${roleID}" \
+	--projectId "${projectId}" \
+	--iamAssumedRoleArn "${awsRoleArn}"
+echo "--------------------------------authorize mongodb Role ends----------------------------"
+rm -rf inputs
+mkdir inputs
 
 WORDTOREMOVE="template."
 cd "$(dirname "$0")" || exit
 for inputFile in inputs_*; do
 	outputFile=${inputFile//$WORDTOREMOVE/}
 	jq --arg projectId "$projectId" \
 		--arg bucketName "$bucketName" \
-		--arg iamRoleId "$iamRoleId" \
+		--arg iamRoleId "$roleID" \
 		--arg profile "$profile" \
 		'.Profile?|=$profile | .ProjectId?|=$projectId | .BucketName?|=$bucketName | .IamRoleId?|=$iamRoleId' \
 		"$inputFile" >"../inputs/$outputFile"
diff --git a/cfn-resources/log-integration/test/cfn-test-delete-inputs.sh b/cfn-resources/log-integration/test/cfn-test-delete-inputs.sh
@@ -1,12 +1,53 @@
 #!/usr/bin/env bash
 # cfn-test-delete-inputs.sh
 #
-# This tool deletes test input files and cleans up resources.
+# This tool deletes test input files and cleans up AWS resources.
 #
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-rm -rf inputs
-echo "Deleted inputs directory"
+function usage {
+	echo "usage:$0 "
+}
+
+echo "--------------------------------delete S3 bucket and IAM role starts----------------------------"
+
+projectId=$(jq -r '.ProjectId' ./inputs/inputs_1_create.json)
+echo "Check if a project is created $projectId"
+export MCLI_PROJECT_ID=$projectId
+
+region=$AWS_DEFAULT_REGION
+if [ -z "$region" ]; then
+	region=$(aws configure get region)
+fi
+# shellcheck disable=SC2001
+region=$(echo "$region" | sed -e "s/-/_/g")
+region=$(echo "$region" | tr '[:lower:]' '[:upper:]')
+
+roleName="mongodb-atlas-logs-role-${region}"
+policyName="atlas-logs-s3-policy-${region}"
+
+trustPolicy=$(jq '.Statement[0].Condition.StringEquals["sts:ExternalId"]' "$(dirname "$0")/trust-policy.json")
+# shellcheck disable=SC2001
+atlasAssumedRoleExternalID=$(echo "${trustPolicy}" | sed 's/"//g')
+
+roleId=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${atlasAssumedRoleExternalID}" -r '.awsIamRoles[] | select(.atlasAssumedRoleExternalId | test($roleID)) | .roleId')
+
+atlas cloudProviders accessRoles aws deauthorize "${roleId}" --projectId "${projectId}" --force
+echo "--------------------------------deauthorize role ends----------------------------"
+bucketName=$(jq -r '.BucketName' "./inputs/inputs_1_create.json")
+aws s3 rb "s3://${bucketName}" --force
+
+echo "--------------------------------delete IAM role starts----------------------------"
+aws iam delete-role-policy --role-name "$roleName" --policy-name "$policyName"
+aws iam delete-role --role-name "$roleName"
+echo "--------------------------------delete IAM role ends----------------------------"
+
+#delete project
+if atlas projects delete "$projectId" --force; then
+	echo "$projectId project deletion OK"
+else
+	(echo "Failed cleaning project:$projectId" && exit 1)
+fi
diff --git a/cfn-resources/log-integration/test/contract-testing/cfn-test-create.sh b/cfn-resources/log-integration/test/contract-testing/cfn-test-create.sh
@@ -6,15 +6,10 @@ set -o nounset
 set -o pipefail
 
 projectName="cfn-test-bot-$(date +%s)-$RANDOM"
-bucketName="atlas-logs-cfn-test-$RANDOM"
-iamRoleId="65a1b2c3d4e5f6a7b8c9d0e1"
 
-# create project
-projectId=$(atlas projects create "${projectName}" --output=json | jq -r '.id')
+# Set unique tag for S3 bucket to avoid conflicts in CI
+export CFN_TEST_TAG="${projectName}"
 
-echo "projectId: $projectId"
 echo "projectName: $projectName"
-echo "bucketName: $bucketName"
-echo "iamRoleId: $iamRoleId (dummy 24-char hex format)"
 
-./test/cfn-test-create-inputs.sh "$projectName" "$bucketName" "$iamRoleId"
+./test/cfn-test-create-inputs.sh "$projectName"
diff --git a/cfn-resources/log-integration/test/contract-testing/cfn-test-delete.sh b/cfn-resources/log-integration/test/contract-testing/cfn-test-delete.sh
@@ -5,11 +5,4 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-projectId=$(jq -r '.ProjectId' ./inputs/inputs_1_create.json)
-
-# delete project
-if atlas projects delete "$projectId" --force; then
-	echo "$projectId project deletion OK"
-else
-	(echo "Failed cleaning project: $projectId" && exit 1)
-fi
+./test/cfn-test-delete-inputs.sh
diff --git a/cfn-resources/log-integration/test/role-policy-template.json b/cfn-resources/log-integration/test/role-policy-template.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ""
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": ""
+        }
+      }
+    }
+  ]
+}
diff --git a/cfn-resources/log-integration/test/s3-policy-template.json b/cfn-resources/log-integration/test/s3-policy-template.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:ListBucket",
+        "s3:GetBucketLocation"
+      ],
+      "Resource": ["", ""]
+    }
+  ]
+}
