Add account ID to the SSM document ARN #4436
Conversation
Without the account ID being specified if the ARN output is used as an allowed resource in an IAM policy then the IAM policy doesn't match the document and you get a permissions error from IAM when executing the document.
tomelliff
force-pushed
the
add-account-id-to-ssm-document-arn
branch
from
d784383 to
02d074b
Compare
bflad
added
bug
ghost
added
size/S
| Config: testAccAWSSSMDocumentBasicConfig(name), | ||
| Check: resource.ComposeTestCheckFunc( | ||
| testAccCheckAWSSSMDocumentExists("aws_ssm_document.foo"), | ||
| resource.TestCheckResourceAttr("aws_ssm_document.foo", "document_format", "JSON"), | ||
| resource.TestMatchResourceAttr("aws_ssm_document.foo", "arn", | ||
| regexp.MustCompile(`^arn:aws:ssm:[a-z]{2}-[a-z]+-\d{1}:\d{12}:document/.*$`)), |
There was a problem hiding this comment.
Thanks for this very accurate test check for the Commercial partition -- we'll be making these more generic so we can also support testing in GovCloud (US) and China at some point in the near future:
regexp.MustCompile(`^arn:[^:]+:ssm:[^:]+:\d{12}:document/.*$`))
There was a problem hiding this comment.
Ha, I originally had the regex match gov-cloud as well and figured it was a waste of time because we didn't run the tests in gov-cloud/china and so took it out to simplify the regex. Didn't think about matching all non colon characters for the region and partition though.
I'll keep that in mind for anything else I add in future.
There was a problem hiding this comment.
Thanks @tomelliff! 🚀
Commercial
6 tests passed (all tests)
=== RUN TestAccAWSSSMDocument_params
--- PASS: TestAccAWSSSMDocument_params (8.94s)
=== RUN TestAccAWSSSMDocument_permission
--- PASS: TestAccAWSSSMDocument_permission (12.54s)
=== RUN TestAccAWSSSMDocument_update
--- PASS: TestAccAWSSSMDocument_update (15.31s)
=== RUN TestAccAWSSSMDocument_basic
--- PASS: TestAccAWSSSMDocument_basic (15.48s)
=== RUN TestAccAWSSSMDocument_DocumentFormat_YAML
--- PASS: TestAccAWSSSMDocument_DocumentFormat_YAML (21.07s)
=== RUN TestAccAWSSSMDocument_automation
--- PASS: TestAccAWSSSMDocument_automation (33.68s)
|
@bflad thanks for the review and merge again :) |
|
This has been released in version 1.18.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Without the account ID being specified if the ARN output is used as an allowed resource in an IAM policy then the IAM policy doesn't match the document and you get a permissions error from IAM when executing the document.