From 91af842695ae05a8bb82f3564bb3dc151750799e Mon Sep 17 00:00:00 2001
From: Dexter <me@dextermiguel.com>
Date: Fri, 8 Nov 2019 20:44:17 -0800
Subject: [PATCH 1/2] Added InstanceRoleArn to GameLift fleets

---
 aws/resource_aws_gamelift_fleet.go      | 11 ++++++++++-
 aws/resource_aws_gamelift_fleet_test.go | 14 ++++++++++----
 aws/resource_aws_gamelift_test.go       |  1 -
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/aws/resource_aws_gamelift_fleet.go b/aws/resource_aws_gamelift_fleet.go
index ac985289517a..59be3d257571 100644
--- a/aws/resource_aws_gamelift_fleet.go
+++ b/aws/resource_aws_gamelift_fleet.go
@@ -45,6 +45,12 @@ func resourceAwsGameliftFleet() *schema.Resource {
 				Required:     true,
 				ValidateFunc: validation.StringLenBetween(1, 1024),
 			},
+			"instance_role_arn": {
+				Type:         schema.TypeString,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
+				Optional:     true,
+			},
 			"description": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -182,6 +188,7 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 		BuildId:         aws.String(d.Get("build_id").(string)),
 		EC2InstanceType: aws.String(d.Get("ec2_instance_type").(string)),
 		Name:            aws.String(d.Get("name").(string)),
+		InstanceRoleArn: aws.String(d.Get("instance_role_arn").(string)),
 	}
 
 	if v, ok := d.GetOk("description"); ok {
@@ -286,6 +293,7 @@ func resourceAwsGameliftFleetRead(d *schema.ResourceData, meta interface{}) erro
 	d.Set("log_paths", aws.StringValueSlice(fleet.LogPaths))
 	d.Set("metric_groups", flattenStringList(fleet.MetricGroups))
 	d.Set("name", fleet.Name)
+	d.Set("instance_role_arn", fleet.InstanceRoleArn)
 	d.Set("new_game_session_protection_policy", fleet.NewGameSessionProtectionPolicy)
 	d.Set("operating_system", fleet.OperatingSystem)
 	d.Set("resource_creation_limit_policy", flattenGameliftResourceCreationLimitPolicy(fleet.ResourceCreationLimitPolicy))
@@ -299,7 +307,8 @@ func resourceAwsGameliftFleetUpdate(d *schema.ResourceData, meta interface{}) er
 	log.Printf("[INFO] Updating Gamelift Fleet: %s", d.Id())
 
 	if d.HasChange("description") || d.HasChange("metric_groups") || d.HasChange("name") ||
-		d.HasChange("new_game_session_protection_policy") || d.HasChange("resource_creation_limit_policy") {
+		d.HasChange("new_game_session_protection_policy") || d.HasChange("resource_creation_limit_policy") ||
+		d.HasChange("instance_role_arn") {
 		_, err := conn.UpdateFleetAttributes(&gamelift.UpdateFleetAttributesInput{
 			Description:                    aws.String(d.Get("description").(string)),
 			FleetId:                        aws.String(d.Id()),
diff --git a/aws/resource_aws_gamelift_fleet_test.go b/aws/resource_aws_gamelift_fleet_test.go
index 4f94eb4af903..c91f560d13a9 100644
--- a/aws/resource_aws_gamelift_fleet_test.go
+++ b/aws/resource_aws_gamelift_fleet_test.go
@@ -277,6 +277,7 @@ func TestAccAWSGameliftFleet_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "ec2_instance_type", "c4.large"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "log_paths.#", "0"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "name", fleetName),
+					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "instance_role_arn", roleArn),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.#", "1"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.0", "default"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "new_game_session_protection_policy", "NoProtection"),
@@ -296,6 +297,7 @@ func TestAccAWSGameliftFleet_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "ec2_instance_type", "c4.large"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "log_paths.#", "0"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "name", uFleetName),
+					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "instance_role_arn", roleArn),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "description", desc),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.#", "1"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.0", "UpdatedGroup"),
@@ -503,6 +505,7 @@ func testAccAWSGameliftFleetBasicConfig(fleetName, launchPath, params, buildName
 resource "aws_gamelift_fleet" "test" {
   build_id          = "${aws_gamelift_build.test.id}"
   ec2_instance_type = "c4.large"
+  instance_role_arn = "%s"
   name              = "%s"
 
   runtime_configuration {
@@ -516,7 +519,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+`, roleArn, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
 func testAccAWSGameliftFleetBasicUpdatedConfig(desc, fleetName, launchPath, params, buildName, bucketName, key, roleArn string) string {
@@ -528,6 +531,7 @@ resource "aws_gamelift_fleet" "test" {
   name                               = "%s"
   metric_groups                      = ["UpdatedGroup"]
   new_game_session_protection_policy = "FullProtection"
+  instance_role_arn                  = "%s"
 
   resource_creation_limit_policy {
     new_game_sessions_per_creator = 2
@@ -545,7 +549,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, desc, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+`, desc, fleetName, roleArn, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
 func testAccAWSGameliftFleetAllFieldsConfig(fleetName, desc, launchPath string, params string, buildName, bucketName, key, roleArn string) string {
@@ -555,6 +559,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
+  instance_role_arn = "%s"
 
   ec2_inbound_permission {
     from_port = 8080
@@ -599,7 +604,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, fleetName, desc, launchPath, params,
+`, fleetName, desc, roleArn, launchPath, params,
 		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
@@ -610,6 +615,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
+  instance_role_arn = "%s"
 
   ec2_inbound_permission {
     from_port = 8888
@@ -654,7 +660,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, fleetName, desc, launchPath, params,
+`, fleetName, desc, roleArn, launchPath, params,
 		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
diff --git a/aws/resource_aws_gamelift_test.go b/aws/resource_aws_gamelift_test.go
index 4329ef3d318a..98debbafa5f4 100644
--- a/aws/resource_aws_gamelift_test.go
+++ b/aws/resource_aws_gamelift_test.go
@@ -28,7 +28,6 @@ func testAccAWSGameliftSampleGame(region string) (*testAccGameliftGame, error) {
 	bucket := fmt.Sprintf("gamelift-sample-builds-prod-%s", region)
 	key := fmt.Sprintf("%s/server/sample_build_%s", version, version)
 	roleArn := fmt.Sprintf("arn:aws:iam::%s:role/sample-build-upload-role-%s", accId, region)
-
 	launchPath := `C:\game\Bin64.Release.Dedicated\MultiplayerProjectLauncher_Server.exe`
 
 	gg := &testAccGameliftGame{

From c80d6207dee00cafaf204fb27cd3215c98e74409 Mon Sep 17 00:00:00 2001
From: Ryn Daniels <ryn@hashicorp.com>
Date: Fri, 10 Jan 2020 18:05:54 +0100
Subject: [PATCH 2/2] Tests and documentation for gamelift fleet
 instance_role_arn

---
 aws/resource_aws_gamelift_fleet.go          | 22 ++++--
 aws/resource_aws_gamelift_fleet_test.go     | 78 +++++++++++++++++----
 website/docs/r/gamelift_fleet.html.markdown |  5 +-
 3 files changed, 87 insertions(+), 18 deletions(-)

diff --git a/aws/resource_aws_gamelift_fleet.go b/aws/resource_aws_gamelift_fleet.go
index 59be3d257571..1395a7b75f55 100644
--- a/aws/resource_aws_gamelift_fleet.go
+++ b/aws/resource_aws_gamelift_fleet.go
@@ -188,7 +188,6 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 		BuildId:         aws.String(d.Get("build_id").(string)),
 		EC2InstanceType: aws.String(d.Get("ec2_instance_type").(string)),
 		Name:            aws.String(d.Get("name").(string)),
-		InstanceRoleArn: aws.String(d.Get("instance_role_arn").(string)),
 	}
 
 	if v, ok := d.GetOk("description"); ok {
@@ -197,6 +196,11 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 	if v, ok := d.GetOk("ec2_inbound_permission"); ok {
 		input.EC2InboundPermissions = expandGameliftIpPermissions(v.([]interface{}))
 	}
+
+	if v, ok := d.GetOk("instance_role_arn"); ok {
+		input.InstanceRoleArn = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("metric_groups"); ok {
 		input.MetricGroups = expandStringList(v.([]interface{}))
 	}
@@ -211,7 +215,18 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 	}
 
 	log.Printf("[INFO] Creating Gamelift Fleet: %s", input)
-	out, err := conn.CreateFleet(&input)
+	var out *gamelift.CreateFleetOutput
+	err := resource.Retry(3*time.Minute, func() *resource.RetryError {
+		var err error
+		out, err = conn.CreateFleet(&input)
+		if isAWSErr(err, gamelift.ErrCodeInvalidRequestException, "GameLift is not authorized to perform") {
+			return resource.RetryableError(err)
+		}
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+		return nil
+	})
 	if err != nil {
 		return err
 	}
@@ -307,8 +322,7 @@ func resourceAwsGameliftFleetUpdate(d *schema.ResourceData, meta interface{}) er
 	log.Printf("[INFO] Updating Gamelift Fleet: %s", d.Id())
 
 	if d.HasChange("description") || d.HasChange("metric_groups") || d.HasChange("name") ||
-		d.HasChange("new_game_session_protection_policy") || d.HasChange("resource_creation_limit_policy") ||
-		d.HasChange("instance_role_arn") {
+		d.HasChange("new_game_session_protection_policy") || d.HasChange("resource_creation_limit_policy") {
 		_, err := conn.UpdateFleetAttributes(&gamelift.UpdateFleetAttributesInput{
 			Description:                    aws.String(d.Get("description").(string)),
 			FleetId:                        aws.String(d.Id()),
diff --git a/aws/resource_aws_gamelift_fleet_test.go b/aws/resource_aws_gamelift_fleet_test.go
index c91f560d13a9..d08feea88a66 100644
--- a/aws/resource_aws_gamelift_fleet_test.go
+++ b/aws/resource_aws_gamelift_fleet_test.go
@@ -277,7 +277,6 @@ func TestAccAWSGameliftFleet_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "ec2_instance_type", "c4.large"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "log_paths.#", "0"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "name", fleetName),
-					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "instance_role_arn", roleArn),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.#", "1"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.0", "default"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "new_game_session_protection_policy", "NoProtection"),
@@ -297,7 +296,6 @@ func TestAccAWSGameliftFleet_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "ec2_instance_type", "c4.large"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "log_paths.#", "0"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "name", uFleetName),
-					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "instance_role_arn", roleArn),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "description", desc),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.#", "1"),
 					resource.TestCheckResourceAttr("aws_gamelift_fleet.test", "metric_groups.0", "UpdatedGroup"),
@@ -505,7 +503,6 @@ func testAccAWSGameliftFleetBasicConfig(fleetName, launchPath, params, buildName
 resource "aws_gamelift_fleet" "test" {
   build_id          = "${aws_gamelift_build.test.id}"
   ec2_instance_type = "c4.large"
-  instance_role_arn = "%s"
   name              = "%s"
 
   runtime_configuration {
@@ -519,7 +516,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, roleArn, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+`, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
 func testAccAWSGameliftFleetBasicUpdatedConfig(desc, fleetName, launchPath, params, buildName, bucketName, key, roleArn string) string {
@@ -531,7 +528,6 @@ resource "aws_gamelift_fleet" "test" {
   name                               = "%s"
   metric_groups                      = ["UpdatedGroup"]
   new_game_session_protection_policy = "FullProtection"
-  instance_role_arn                  = "%s"
 
   resource_creation_limit_policy {
     new_game_sessions_per_creator = 2
@@ -549,7 +545,7 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, desc, fleetName, roleArn, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+`, desc, fleetName, launchPath, params, testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
 }
 
 func testAccAWSGameliftFleetAllFieldsConfig(fleetName, desc, launchPath string, params string, buildName, bucketName, key, roleArn string) string {
@@ -559,7 +555,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
-  instance_role_arn = "%s"
+  instance_role_arn = "${aws_iam_role.test.arn}"
 
   ec2_inbound_permission {
     from_port = 8080
@@ -604,8 +600,10 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, fleetName, desc, roleArn, launchPath, params,
-		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+%s
+
+`, fleetName, desc, launchPath, params,
+		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn), testAccAWSGameLiftFleetIAMRole(buildName))
 }
 
 func testAccAWSGameliftFleetAllFieldsUpdatedConfig(fleetName, desc, launchPath string, params string, buildName, bucketName, key, roleArn string) string {
@@ -615,7 +613,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
-  instance_role_arn = "%s"
+  instance_role_arn = "${aws_iam_role.test.arn}"
 
   ec2_inbound_permission {
     from_port = 8888
@@ -660,8 +658,10 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
-`, fleetName, desc, roleArn, launchPath, params,
-		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+%s
+
+`, fleetName, desc, launchPath, params,
+		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn), testAccAWSGameLiftFleetIAMRole(buildName))
 }
 
 func testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn string) string {
@@ -678,3 +678,57 @@ resource "aws_gamelift_build" "test" {
 }
 `, buildName, bucketName, key, roleArn)
 }
+
+func testAccAWSGameLiftFleetIAMRole(rName string) string {
+	return fmt.Sprintf(`
+	resource "aws_iam_role" "test" {
+		name = "test-role-%[1]s"
+
+		assume_role_policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+	{
+		"Sid": "",
+		"Effect": "Allow",
+		"Principal": {
+			"Service": [
+			"gamelift.amazonaws.com"
+			]
+		},
+		"Action": [
+			"sts:AssumeRole"
+			]
+		}
+	]
+}
+EOF
+	  }
+
+	  resource "aws_iam_policy" "test" {
+		name        = "test-policy-%[1]s"
+		path        = "/"
+		description = "GameLift Fleet PassRole Policy"
+
+		policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [{
+	"Effect": "Allow",
+	"Action": [
+		"iam:PassRole",
+		"sts:AssumeRole"
+		],
+	"Resource": ["*"]
+}]
+}
+EOF
+	  }
+
+	  resource "aws_iam_policy_attachment" "test-attach" {
+		name       = "test-attachment-%[1]s"
+		roles      = ["${aws_iam_role.test.name}"]
+		policy_arn = "${aws_iam_policy.test.arn}"
+	  }
+`, rName)
+}
diff --git a/website/docs/r/gamelift_fleet.html.markdown b/website/docs/r/gamelift_fleet.html.markdown
index 4b27d969f147..bc10d70da3b2 100644
--- a/website/docs/r/gamelift_fleet.html.markdown
+++ b/website/docs/r/gamelift_fleet.html.markdown
@@ -32,11 +32,12 @@ resource "aws_gamelift_fleet" "example" {
 The following arguments are supported:
 
 * `build_id` - (Required) ID of the Gamelift Build to be deployed on the fleet.
-* `ec2_instance_type` - (Required) Name of an EC2 instance type. e.g. `t2.micro`
-* `name` - (Required) The name of the fleet.
 * `description` - (Optional) Human-readable description of the fleet.
 * `ec2_inbound_permission` - (Optional) Range of IP addresses and port settings that permit inbound traffic to access server processes running on the fleet. See below.
+* `ec2_instance_type` - (Required) Name of an EC2 instance type. e.g. `t2.micro`
+* `instance_role_arn` - (Optional) ARN of an IAM role that instances in the fleet can assume.
 * `metric_groups` - (Optional) List of names of metric groups to add this fleet to. A metric group tracks metrics across all fleets in the group. Defaults to `default`.
+* `name` - (Required) The name of the fleet.
 * `new_game_session_protection_policy` - (Optional) Game session protection policy to apply to all instances in this fleet. e.g. `FullProtection`. Defaults to `NoProtection`.
 * `resource_creation_limit_policy` - (Optional) Policy that limits the number of game sessions an individual player can create over a span of time for this fleet. See below.
 * `runtime_configuration` - (Optional) Instructions for launching server processes on each instance in the fleet. See below.