feat: automate IAM role creation and cleanup for AWS Lambda stream connection tests

Author: sivaram-mongodb

cfn-resources/stream-connection/test/cfn-test-create-inputs.sh

@@ -46,6 +46,97 @@ atlas clusters create "${clusterName}" --projectId "${projectId}" --backup --pro
 atlas clusters watch "${clusterName}" --projectId "${projectId}"
 echo -e "Created Cluster \"${clusterName}\""
 
+# AWS IAM role creation and authorization for Lambda connections
+echo "--------------------------------AWS Lambda IAM Role creation starts ----------------------------"
+
+# Get AWS Account ID
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+# Role names for CREATE and UPDATE scenarios
+iamRoleNameCreate="mongodb-atlas-streams-lambda-$(date +%s)-${RANDOM}"
+iamRoleNameUpdate="mongodb-atlas-streams-lambda-$(date +%s)-${RANDOM}-updated"
+policyName="atlas-lambda-invoke-policy"
+
+echo "Creating IAM roles: ${iamRoleNameCreate} and ${iamRoleNameUpdate}"
+
+# Create first cloud provider access entry (for CREATE role)
+roleIdCreate=$(atlas cloudProviders accessRoles aws create --projectId "${projectId}" --output json | jq -r '.roleId')
+echo "Created Atlas cloud provider access entry for CREATE role: ${roleIdCreate}"
+
+# Create second cloud provider access entry (for UPDATE role)
+roleIdUpdate=$(atlas cloudProviders accessRoles aws create --projectId "${projectId}" --output json | jq -r '.roleId')
+echo "Created Atlas cloud provider access entry for UPDATE role: ${roleIdUpdate}"
+
+# Get Atlas AWS Account ARN and External ID for CREATE role
+atlasAWSAccountArnCreate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleIdCreate}" -r '.awsIamRoles[] | select(.roleId | test($roleID)) | .atlasAWSAccountArn')
+atlasAssumedRoleExternalIdCreate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleIdCreate}" -r '.awsIamRoles[] | select(.roleId | test($roleID)) | .atlasAssumedRoleExternalId')
+
+# Get Atlas AWS Account ARN and External ID for UPDATE role
+atlasAWSAccountArnUpdate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleIdUpdate}" -r '.awsIamRoles[] | select(.roleId | test($roleID)) | .atlasAWSAccountArn')
+atlasAssumedRoleExternalIdUpdate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg roleID "${roleIdUpdate}" -r '.awsIamRoles[] | select(.roleId | test($roleID)) | .atlasAssumedRoleExternalId')
+
+# Create trust policy for CREATE role
+jq --arg atlasAssumedRoleExternalId "$atlasAssumedRoleExternalIdCreate" \
+	--arg atlasAWSAccountArn "$atlasAWSAccountArnCreate" \
+	'.Statement[0].Principal.AWS?|=$atlasAWSAccountArn | .Statement[0].Condition.StringEquals["sts:ExternalId"]?|=$atlasAssumedRoleExternalId' \
+	"$(dirname "$0")/lambda-role-policy-template.json" >"$(dirname "$0")/lambda-trust-policy-create.json"
+
+# Create trust policy for UPDATE role
+jq --arg atlasAssumedRoleExternalId "$atlasAssumedRoleExternalIdUpdate" \
+	--arg atlasAWSAccountArn "$atlasAWSAccountArnUpdate" \
+	'.Statement[0].Principal.AWS?|=$atlasAWSAccountArn | .Statement[0].Condition.StringEquals["sts:ExternalId"]?|=$atlasAssumedRoleExternalId' \
+	"$(dirname "$0")/lambda-role-policy-template.json" >"$(dirname "$0")/lambda-trust-policy-update.json"
+
+echo "--------------------------------AWS IAM Role creation starts ----------------------------"
+
+# Check if CREATE role exists, delete if found
+awsRoleIdCreate=$(aws iam get-role --role-name "${iamRoleNameCreate}" 2>/dev/null | jq --arg roleName "${iamRoleNameCreate}" -r '.Role | select(.RoleName==$roleName) | .RoleId' || echo "")
+if [ -n "$awsRoleIdCreate" ]; then
+	aws iam delete-role-policy --role-name "${iamRoleNameCreate}" --policy-name "${policyName}" 2>/dev/null || true
+	aws iam delete-role --role-name "${iamRoleNameCreate}"
+	echo "Deleted existing CREATE role"
+fi
+
+# Create CREATE role
+awsRoleIdCreate=$(aws iam create-role --role-name "${iamRoleNameCreate}" --assume-role-policy-document file://"$(dirname "$0")"/lambda-trust-policy-create.json | jq --arg roleName "${iamRoleNameCreate}" -r '.Role | select(.RoleName==$roleName) | .RoleId')
+echo "Created AWS IAM role for CREATE: ${awsRoleIdCreate}"
+
+# Check if UPDATE role exists, delete if found
+awsRoleIdUpdate=$(aws iam get-role --role-name "${iamRoleNameUpdate}" 2>/dev/null | jq --arg roleName "${iamRoleNameUpdate}" -r '.Role | select(.RoleName==$roleName) | .RoleId' || echo "")
+if [ -n "$awsRoleIdUpdate" ]; then
+	aws iam delete-role-policy --role-name "${iamRoleNameUpdate}" --policy-name "${policyName}" 2>/dev/null || true
+	aws iam delete-role --role-name "${iamRoleNameUpdate}"
+	echo "Deleted existing UPDATE role"
+fi
+
+# Create UPDATE role
+awsRoleIdUpdate=$(aws iam create-role --role-name "${iamRoleNameUpdate}" --assume-role-policy-document file://"$(dirname "$0")"/lambda-trust-policy-update.json | jq --arg roleName "${iamRoleNameUpdate}" -r '.Role | select(.RoleName==$roleName) | .RoleId')
+echo "Created AWS IAM role for UPDATE: ${awsRoleIdUpdate}"
+
+# Get role ARNs
+awsArnCreate=$(aws iam get-role --role-name "${iamRoleNameCreate}" | jq --arg roleName "${iamRoleNameCreate}" -r '.Role | select(.RoleName==$roleName) | .Arn')
+awsArnUpdate=$(aws iam get-role --role-name "${iamRoleNameUpdate}" | jq --arg roleName "${iamRoleNameUpdate}" -r '.Role | select(.RoleName==$roleName) | .Arn')
+
+# Attach Lambda permissions to both roles
+aws iam put-role-policy --role-name "${iamRoleNameCreate}" --policy-name "${policyName}" --policy-document file://"$(dirname "$0")"/lambda-permissions-template.json
+aws iam put-role-policy --role-name "${iamRoleNameUpdate}" --policy-name "${policyName}" --policy-document file://"$(dirname "$0")"/lambda-permissions-template.json
+echo "Attached Lambda invoke permissions to both roles"
+
+echo "--------------------------------AWS IAM Role creation ends ----------------------------"
+
+# Wait for AWS IAM role to propagate (similar to encryption-at-rest pattern)
+echo "Waiting for IAM roles to propagate..."
+sleep 65
+
+# Authorize the roles in Atlas
+echo "--------------------------------Authorize MongoDB Atlas Roles starts ----------------------------"
+atlas cloudProviders accessRoles aws authorize "${roleIdCreate}" --iamAssumedRoleArn "${awsArnCreate}" --projectId "${projectId}"
+echo "Authorized CREATE role: ${iamRoleNameCreate}"
+
+atlas cloudProviders accessRoles aws authorize "${roleIdUpdate}" --iamAssumedRoleArn "${awsArnUpdate}" --projectId "${projectId}"
+echo "Authorized UPDATE role: ${iamRoleNameUpdate}"
+echo "--------------------------------Authorize MongoDB Atlas Roles ends ----------------------------"
+
 jq --arg cluster_name "$clusterName" \
 	--arg workspace_name "$workspaceName" \
 	--arg project_id "$projectId" \
@@ -99,17 +190,21 @@ jq --arg workspace_name "$workspaceName" \
 jq --arg workspace_name "$workspaceName" \
 	--arg project_id "$projectId" \
 	--arg profile "$profile" \
+	--arg role_arn "$awsArnCreate" \
 	'.Profile?|=$profile
    | .ProjectId?|=$project_id
-   | .WorkspaceName?|=$workspace_name' \
+   | .WorkspaceName?|=$workspace_name
+   | .Aws.RoleArn=$role_arn' \
 	"$(dirname "$0")/inputs_4_create.json" >"inputs/inputs_4_create.json"
 
 jq --arg workspace_name "$workspaceName" \
 	--arg project_id "$projectId" \
 	--arg profile "$profile" \
+	--arg role_arn "$awsArnUpdate" \
 	'.Profile?|=$profile
    | .ProjectId?|=$project_id
-   | .WorkspaceName?|=$workspace_name' \
+   | .WorkspaceName?|=$workspace_name
+   | .Aws.RoleArn=$role_arn' \
 	"$(dirname "$0")/inputs_4_update.json" >"inputs/inputs_4_update.json"
 
 jq --arg workspace_name "$workspaceName" \
@@ -143,4 +238,3 @@ jq --arg workspace_name "$workspaceName" \
    | .ProjectId?|=$project_id
    | .WorkspaceName?|=$workspace_name' \
 	"$(dirname "$0")/inputs_6_update.json" >"inputs/inputs_6_update.json"
-	

cfn-resources/stream-connection/test/cfn-test-delete-inputs.sh

@@ -45,6 +45,70 @@ else
 	echo "failed to delete the stream workspace/instance with name ${workspaceOrInstanceName}"
 fi
 
+# Delete AWS Lambda IAM roles if they exist
+echo "--------------------------------delete AWS Lambda IAM roles starts ----------------------------"
+
+# Check if Lambda input files exist
+if [ -f "./inputs/inputs_4_create.json" ]; then
+	echo "Found Lambda connection inputs, cleaning up IAM roles..."
+	
+	policyName="atlas-lambda-invoke-policy"
+	
+	# Extract role ARN from CREATE input file
+	roleArnCreate=$(jq -r '.Aws.RoleArn // empty' ./inputs/inputs_4_create.json)
+	# Extract role name from ARN (everything after the last '/')
+	iamRoleNameCreate=$(echo "${roleArnCreate}" | awk -F'/' '{print $NF}')
+	
+	# Extract role ARN from UPDATE input file
+	roleArnUpdate=$(jq -r '.Aws.RoleArn // empty' ./inputs/inputs_4_update.json)
+	# Extract role name from ARN (everything after the last '/')
+	iamRoleNameUpdate=$(echo "${roleArnUpdate}" | awk -F'/' '{print $NF}')
+	
+	# Get external IDs from trust policy files and find roleIds in Atlas
+	if [ -f "$(dirname "$0")/lambda-trust-policy-create.json" ]; then
+		atlasAssumedRoleExternalIdCreate=$(jq -r '.Statement[0].Condition.StringEquals["sts:ExternalId"]' "$(dirname "$0")/lambda-trust-policy-create.json")
+		roleIdCreate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg extId "${atlasAssumedRoleExternalIdCreate}" -r '.awsIamRoles[] | select(.atlasAssumedRoleExternalId | test($extId)) | .roleId')
+		
+		if [ -n "${roleIdCreate}" ] && [ "${roleIdCreate}" != "null" ]; then
+			echo "Deauthorizing CREATE role from Atlas: ${roleIdCreate}"
+			atlas cloudProviders accessRoles aws deauthorize "${roleIdCreate}" --projectId "${projectId}" --force || echo "Failed to deauthorize CREATE role"
+		fi
+	fi
+	
+	if [ -f "$(dirname "$0")/lambda-trust-policy-update.json" ]; then
+		atlasAssumedRoleExternalIdUpdate=$(jq -r '.Statement[0].Condition.StringEquals["sts:ExternalId"]' "$(dirname "$0")/lambda-trust-policy-update.json")
+		roleIdUpdate=$(atlas cloudProviders accessRoles list --projectId "${projectId}" --output json | jq --arg extId "${atlasAssumedRoleExternalIdUpdate}" -r '.awsIamRoles[] | select(.atlasAssumedRoleExternalId | test($extId)) | .roleId')
+		
+		if [ -n "${roleIdUpdate}" ] && [ "${roleIdUpdate}" != "null" ]; then
+			echo "Deauthorizing UPDATE role from Atlas: ${roleIdUpdate}"
+			atlas cloudProviders accessRoles aws deauthorize "${roleIdUpdate}" --projectId "${projectId}" --force || echo "Failed to deauthorize UPDATE role"
+		fi
+	fi
+	
+	# Delete CREATE IAM role
+	if [ -n "${iamRoleNameCreate}" ] && [ "${iamRoleNameCreate}" != "null" ] && [ "${iamRoleNameCreate}" != "" ]; then
+		echo "Deleting CREATE IAM role: ${iamRoleNameCreate}"
+		aws iam delete-role-policy --role-name "${iamRoleNameCreate}" --policy-name "${policyName}" 2>/dev/null || echo "Policy already deleted or doesn't exist"
+		aws iam delete-role --role-name "${iamRoleNameCreate}" 2>/dev/null || echo "Role already deleted or doesn't exist"
+	fi
+	
+	# Delete UPDATE IAM role
+	if [ -n "${iamRoleNameUpdate}" ] && [ "${iamRoleNameUpdate}" != "null" ] && [ "${iamRoleNameUpdate}" != "" ]; then
+		echo "Deleting UPDATE IAM role: ${iamRoleNameUpdate}"
+		aws iam delete-role-policy --role-name "${iamRoleNameUpdate}" --policy-name "${policyName}" 2>/dev/null || echo "Policy already deleted or doesn't exist"
+		aws iam delete-role --role-name "${iamRoleNameUpdate}" 2>/dev/null || echo "Role already deleted or doesn't exist"
+	fi
+	
+	# Clean up temporary files
+	rm -f "$(dirname "$0")/lambda-trust-policy-create.json"
+	rm -f "$(dirname "$0")/lambda-trust-policy-update.json"
+	
+	echo "Cleaned up Lambda IAM roles and temporary files"
+else
+	echo "No Lambda connection inputs found, skipping IAM role cleanup"
+fi
+echo "--------------------------------delete AWS Lambda IAM roles ends ----------------------------"
+
 #delete project
 if atlas projects delete "$projectId" --force; then
 	echo "$projectId project deletion OK"

cfn-resources/stream-connection/test/lambda-permissions-template.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "lambda:InvokeFunction",
+        "lambda:InvokeAsync"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+

cfn-resources/stream-connection/test/lambda-role-policy-template.json

@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ""
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": ""
+        }
+      }
+    }
+  ]
+}
+