CLOUDP-372605-encryption-at-rest: handle missing IAM role check in encryption test

sivaram-mongodb · sivaram-mongodb · commit 25bd5f87b2fb · 2026-02-06T15:05:12.000+05:30
diff --git a/cfn-resources/encryption-at-rest/test/cfn-test-create-inputs.sh b/cfn-resources/encryption-at-rest/test/cfn-test-create-inputs.sh
@@ -81,24 +81,23 @@ echo "--------------------------------create key and key policy document policy
 echo "$policyDocument"
 echo "--------------------------------policy document finished ----------------------------"
 
-roleID=$(atlas cloudProviders accessRoles aws create --projectId "${projectId}" --output json | jq -r '.roleId')
-echo "roleID: $roleID"
+roleID=$(atlas cloudProviders accessRoles aws create --output json | jq -r '.roleId')
 echo "--------------------------------Mongo CLI Role creation ends ----------------------------"
 
-atlasAWSAccountArn=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] |select(.roleId |test( $roleID)) |.atlasAWSAccountArn')
-atlasAssumedRoleExternalId=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] |select(.roleId |test( $roleID)) |.atlasAssumedRoleExternalId')
+atlasAWSAccountArn=$(atlas cloudProviders accessRoles list --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] |select(.roleId |test( $roleID)) |.atlasAWSAccountArn')
+atlasAssumedRoleExternalId=$(atlas cloudProviders accessRoles list --output json | jq --arg roleID "${roleID}" -r '.awsIamRoles[] |select(.roleId |test( $roleID)) |.atlasAssumedRoleExternalId')
 jq --arg atlasAssumedRoleExternalId "$atlasAssumedRoleExternalId" \
 	--arg atlasAWSAccountArn "$atlasAWSAccountArn" \
 	'.Statement[0].Principal.AWS?|=$atlasAWSAccountArn | .Statement[0].Condition.StringEquals["sts:ExternalId"]?|=$atlasAssumedRoleExternalId' "$(dirname "$0")/role-policy-template.json" >"$(dirname "$0")/add-policy.json"
 echo cat add-policy.json
 echo "--------------------------------AWS Role creation ends ----------------------------"
 
-awsRoleID=$(aws iam get-role --role-name "${roleName}" | jq --arg roleName "${roleName}" -r '.Role | select(.RoleName==$roleName) |.RoleId')
+awsRoleID=$(aws iam get-role --role-name "${roleName}" 2>/dev/null | jq --arg roleName "${roleName}" -r '.Role | select(.RoleName==$roleName) |.RoleId' || true)
 if [ -z "$awsRoleID" ]; then
 	awsRoleID=$(aws iam create-role --role-name "${roleName}" --assume-role-policy-document file://"$(dirname "$0")"/add-policy.json | jq --arg roleName "${roleName}" -r '.Role | select(.RoleName==$roleName) |.RoleId')
 	echo -e "No role found, hence creating the role. Created id: ${awsRoleID}\n"
 else
-	aws iam delete-role-policy --role-name "${roleName}" --policy-name "${policyName}"
+	aws iam delete-role-policy --role-name "${roleName}" --policy-name "${policyName}" 2>/dev/null || true
 	aws iam delete-role --role-name "${roleName}"
 	awsRoleID=$(aws iam create-role --role-name "${roleName}" --assume-role-policy-document file://"$(dirname "$0")"/add-policy.json | jq --arg roleName "${roleName}" -r '.Role | select(.RoleName==$roleName) |.RoleId')
 	echo -e "FOUND id: ${awsRoleID}\n"
@@ -116,7 +115,7 @@ awsArne=$(echo "${awsArn}" | sed 's/"//g')
 #TODO Needs change to while loop using get operation
 sleep 65
 
-atlas cloudProviders accessRoles aws authorize "${roleID}" --projectId "${projectId}" --iamAssumedRoleArn "${awsArne}"
+atlas cloudProviders accessRoles aws authorize "${roleID}" --iamAssumedRoleArn "${awsArne}"
 echo "--------------------------------authorize mongodb  Role ends ----------------------------"
 
 jq --arg projectId "$projectId" \
diff --git a/cfn-resources/encryption-at-rest/test/cfn-test-delete-inputs.sh b/cfn-resources/encryption-at-rest/test/cfn-test-delete-inputs.sh
@@ -39,10 +39,10 @@ roleExternalID="${trustPolicy##*/}"
 atlasAssumedRoleExternalID=$(echo "${roleExternalID}" | sed 's/"//g')
 echo "$atlasAssumedRoleExternalID"
 
-roleId=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${atlasAssumedRoleExternalID}" -r '.awsIamRoles[] |select(.atlasAssumedRoleExternalId |test( $roleID)) |.roleId')
+roleId=$(atlas cloudProviders accessRoles list --output json | jq --arg roleID "${atlasAssumedRoleExternalID}" -r '.awsIamRoles[] |select(.atlasAssumedRoleExternalId |test( $roleID)) |.roleId')
 echo "$roleId"
 
-atlas cloudProviders accessRoles aws deauthorize "${roleId}" --projectId "${projectId}" --force
+atlas cloudProviders accessRoles aws deauthorize "${roleId}" --force
 echo "--------------------------------delete role starts ----------------------------"
 
 aws iam delete-role-policy --role-name "$roleName" --policy-name "$policyName"
