Merge pull request #31159 from hashicorp/td-teamcity-assume-role-pull…

…-request CI: Enables assuming role for pull request configuration
hashicorp · May 5, 2023 · f6ec8c3 · f6ec8c3
2 parents 9094adb + 9041979
commit f6ec8c3
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 15 deletions.
diff --git a/.teamcity/scripts/pullrequest_tests/tests.sh b/.teamcity/scripts/pullrequest_tests/tests.sh
@@ -4,8 +4,8 @@ set -euo pipefail
 
 # shellcheck disable=2050 # This isn't a constant string, it's a TeamCity variable substitution
 if [[ "%TEST_PATTERN%" == "" || "%TEST_PATTERN%" == "TestAcc" ]]; then
-  echo "Invalid test filter pattern: \"%TEST_PATTERN%\""
-  exit 1
+	echo "Invalid test filter pattern: \"%TEST_PATTERN%\""
+	exit 1
 fi
 
 echo "Filtering acceptance tests: %TEST_PATTERN%"
@@ -26,4 +26,55 @@ fi
 echo "${TEST_LIST}"
 echo
 
+# shellcheck disable=2157 # These aren't constant strings, they're TeamCity variable substitution
+if [[ -n "%ACCTEST_ROLE_ARN%" || -n "%ACCTEST_ALTERNATE_ROLE_ARN%" ]]; then
+	conf=$(pwd)/aws.conf
+
+	function cleanup {
+		rm "${conf}"
+	}
+	trap cleanup EXIT
+
+	touch "${conf}"
+	chmod 600 "${conf}"
+
+	export AWS_CONFIG_FILE="${conf}"
+
+	# shellcheck disable=2157 # This isn't a constant string, it's a TeamCity variable substitution
+	if [[ -n "%ACCTEST_ROLE_ARN%" ]]; then
+		cat <<EOF >>"${conf}"
+[profile primary]
+role_arn       = %ACCTEST_ROLE_ARN%
+source_profile = primary_user
+
+[profile primary_user]
+aws_access_key_id     = %AWS_ACCESS_KEY_ID%
+aws_secret_access_key = %AWS_SECRET_ACCESS_KEY%
+EOF
+
+		unset AWS_ACCESS_KEY_ID
+		unset AWS_SECRET_ACCESS_KEY
+
+		export AWS_PROFILE=primary
+	fi
+
+	# shellcheck disable=2157 # This isn't a constant string, it's a TeamCity variable substitution
+	if [[ -n "%ACCTEST_ALTERNATE_ROLE_ARN%" ]]; then
+		cat <<EOF >>"${conf}"
+[profile alternate]
+role_arn       = %ACCTEST_ALTERNATE_ROLE_ARN%
+source_profile = alternate_user
+
+[profile alternate_user]
+aws_access_key_id     = %AWS_ALTERNATE_ACCESS_KEY_ID%
+aws_secret_access_key = %AWS_ALTERNATE_SECRET_ACCESS_KEY%
+EOF
+
+		unset AWS_ALTERNATE_ACCESS_KEY_ID
+		unset AWS_ALTERNATE_SECRET_ACCESS_KEY
+
+		export AWS_ALTERNATE_PROFILE=alternate
+	fi
+fi
+
 TF_ACC=1 go test ./... -run="%TEST_PATTERN%" -v -count=1 -parallel "%ACCTEST_PARALLELISM%" -timeout=0
diff --git a/.teamcity/settings.kts b/.teamcity/settings.kts
@@ -17,19 +17,26 @@ val sweeperRegions = DslContext.getParameter("sweeper_regions")
 val awsAccountID = DslContext.getParameter("aws_account.account_id")
 val acctestParallelism = DslContext.getParameter("acctest_parallelism", "")
 val tfAccAssumeRoleArn = DslContext.getParameter("tf_acc_assume_role_arn", "")
-val awsAlternateAccountID = DslContext.getParameter("aws_alternate_account.account_id", "")
-val awsAlternateAccessKeyID = DslContext.getParameter("aws_alternate_account.access_key_id", "")
-val awsAlternateSecretAccessKey = DslContext.getParameter("aws_alternate_account.secret_access_key", "")
+val awsAlternateAccountID = DslContext.getParameter("aws_alt_account.account_id", "")
 val tfLog = DslContext.getParameter("tf_log", "")
 
 // Legacy User credentials
 val legacyAWSAccessKeyID = DslContext.getParameter("aws_account.legacy_access_key_id", "")
 val legacyAWSSecretAccessKey = DslContext.getParameter("aws_account.legacy_secret_access_key", "")
 
+// Legacy Alternate User credentials
+val legacyAWSAlternateAccessKeyID = DslContext.getParameter("aws_alt_account.legacy_access_key_id", "")
+val legacyAWSAlternateSecretAccessKey = DslContext.getParameter("aws_alt_account.legacy_secret_access_key", "")
+
 // Assume Role credentials
-val awsAccessKeyID = DslContext.getParameter("aws_account.access_key_id", "")
-val awsSecretAccessKey = DslContext.getParameter("aws_account.secret_access_key", "")
 val accTestRoleARN = DslContext.getParameter("aws_account.role_arn", "")
+val awsAccessKeyID = if (accTestRoleARN != "") { DslContext.getParameter("aws_account.access_key_id") } else { "" }
+val awsSecretAccessKey = if (accTestRoleARN != "") { DslContext.getParameter("aws_account.secret_access_key") } else { "" }
+
+// Alternate Assume Role credentials
+val alternateAccTestRoleARN = DslContext.getParameter("aws_alt_account.role_arn", "")
+val alternateAWSAccessKeyID = if (alternateAccTestRoleARN != "") { DslContext.getParameter("aws_alt_account.access_key_id") } else { "" }
+val alternateAWSSecretAccessKey = if (alternateAccTestRoleARN != "") { DslContext.getParameter("aws_alt_account.secret_access_key") } else { "" }
 
 project {
     if (DslContext.getParameter("build_full", "true").toBoolean()) {
@@ -54,12 +61,6 @@ project {
         text("env.AWS_DEFAULT_REGION", defaultRegion, allowEmpty = false)
         text("env.TF_LOG", tfLog)
 
-        if (awsAlternateAccountID != "" || awsAlternateAccessKeyID != "" || awsAlternateSecretAccessKey != "") {
-            text("env.AWS_ALTERNATE_ACCOUNT_ID", awsAlternateAccountID, display = ParameterDisplay.HIDDEN)
-            password("env.AWS_ALTERNATE_ACCESS_KEY_ID", awsAlternateAccessKeyID, display = ParameterDisplay.HIDDEN)
-            password("env.AWS_ALTERNATE_SECRET_ACCESS_KEY", awsAlternateSecretAccessKey, display = ParameterDisplay.HIDDEN)
-        }
-
         if (alternateRegion != "") {
             text("env.AWS_ALTERNATE_REGION", alternateRegion)
         }
@@ -90,6 +91,13 @@ project {
             password("env.AWS_SECRET_ACCESS_KEY", legacyAWSSecretAccessKey, display = ParameterDisplay.HIDDEN)
         }
 
+        // Legacy Alternate User credentials
+        if (awsAlternateAccountID != "" || legacyAWSAlternateAccessKeyID != "" || legacyAWSAlternateSecretAccessKey != "") {
+            text("env.AWS_ALTERNATE_ACCOUNT_ID", awsAlternateAccountID, display = ParameterDisplay.HIDDEN)
+            password("env.AWS_ALTERNATE_ACCESS_KEY_ID", legacyAWSAlternateAccessKeyID, display = ParameterDisplay.HIDDEN)
+            password("env.AWS_ALTERNATE_SECRET_ACCESS_KEY", legacyAWSAlternateSecretAccessKey, display = ParameterDisplay.HIDDEN)
+        }
+
         // Assume Role credentials
         if (awsAccessKeyID != "") {
             password("AWS_ACCESS_KEY_ID", awsAccessKeyID, display = ParameterDisplay.HIDDEN)
@@ -99,6 +107,17 @@ project {
         }
         text("ACCTEST_ROLE_ARN", accTestRoleARN, display = ParameterDisplay.HIDDEN)
 
+        // Alternate Assume Role credentials
+        if (awsAlternateAccountID != "") {
+            if (awsAccessKeyID != "") {
+                password("AWS_ALTERNATE_ACCESS_KEY_ID", alternateAWSAccessKeyID, display = ParameterDisplay.HIDDEN)
+            }
+            if (awsSecretAccessKey != "") {
+                password("AWS_ALTERNATE_SECRET_ACCESS_KEY", alternateAWSSecretAccessKey, display = ParameterDisplay.HIDDEN)
+            }
+        }
+        text("ACCTEST_ALTERNATE_ROLE_ARN", alternateAccTestRoleARN, display = ParameterDisplay.HIDDEN)
+
         // Define this parameter even when not set to allow individual builds to set the value
         text("env.TF_ACC_TERRAFORM_VERSION", DslContext.getParameter("terraform_version", ""))
 
@@ -141,7 +160,7 @@ object PullRequest : BuildType({
             type = "JetBrains.SharedResources"
             param("locks-param", "${DslContext.getParameter("aws_account.lock_id")} readLock")
         }
-        val alternateAccountLockId = DslContext.getParameter("aws_alternate_account.lock_id", "")
+        val alternateAccountLockId = DslContext.getParameter("aws_alt_account.lock_id", "")
         if (alternateAccountLockId != "") {
             feature {
                 type = "JetBrains.SharedResources"
@@ -217,7 +236,7 @@ object FullBuild : BuildType({
             type = "JetBrains.SharedResources"
             param("locks-param", "${DslContext.getParameter("aws_account.lock_id")} writeLock")
         }
-        val alternateAccountLockId = DslContext.getParameter("aws_alternate_account.lock_id", "")
+        val alternateAccountLockId = DslContext.getParameter("aws_alt_account.lock_id", "")
         if (alternateAccountLockId != "") {
             feature {
                 type = "JetBrains.SharedResources"