Add instructions for setting up AWS test account (#227)

* Add instructions for setting up AWS test account

* Update README.md

Co-authored-by: Jose Armesto <[email protected]>

* Update README.md

* Update README.md

* Update README.md

---------

Co-authored-by: Jose Armesto <[email protected]>

Author: mnitchev

README.md

@@ -55,3 +55,18 @@ This project uses [`LocalStack`](https://github.com/localstack/localstack) for i
 ```
 $ aws --endpoint=http://localhost:4566 route53 list-hosted-zones-by-name
 ```
+
+## AWS account setup
+
+To run the integration and acceptance tests against an AWS account you need to create an IAM role. To do that, first source the `aws-resolver-rules-operator-test-secrets.sh` file from LastPass and then run the following commands. Note that you also need to target the account you are setting up when using the aws cli and update the desired WC or MC account env var in the LastPass secret afterwards.
+
+```shell
+source aws-resolver-rules-operator-test-secrets.sh
+aws iam create-policy --policy-name tests-aws-resolver-rules-operator --policy-document file://tests/assets/test-role-policy.json
+
+policy_file=$(mktemp)
+envsubst <tests/assets/test-role-trust-policy.json >$policy_file
+aws iam create-role --role-name tests-aws-resolver-rules-operator --assume-role-policy-document file://$policy_file
+aws iam attach-role-policy --role-name ttests-aws-resolver-rules-operator --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/tests-aws-resolver-rules-operator
+rm $policy_file
+```

tests/assets/test-role-policy.json

@@ -0,0 +1,42 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DeleteManagedPrefixList",
+                "ec2:DeleteSubnet",
+                "ec2:ModifyManagedPrefixList",
+                "ec2:DeleteTags",
+                "ec2:CreateVpc",
+                "ec2:DescribeTransitGateways",
+                "ec2:CreateTransitGateway",
+                "ec2:DeleteRouteTable",
+                "ec2:AssociateRouteTable",
+                "ec2:DeleteTransitGatewayVpcAttachment",
+                "ec2:CreateRoute",
+                "ec2:DescribeManagedPrefixLists",
+                "ec2:DescribeRouteTables",
+                "ec2:GetManagedPrefixListEntries",
+                "ec2:CreateTags",
+                "ec2:DeleteRoute",
+                "ec2:CreateRouteTable",
+                "ec2:DisassociateRouteTable",
+                "ec2:CreateManagedPrefixList",
+                "ec2:CreateTransitGatewayVpcAttachment",
+                "ec2:DeleteVpc",
+                "ec2:DescribeTransitGatewayVpcAttachments",
+                "ec2:CreateSubnet",
+                "ec2:DeleteTransitGateway",
+                "ec2:DescribeSubnets",
+                "ram:GetResourceShares",
+                "ram:CreateResourceShare",
+                "ram:DeleteResourceShare",
+                "ram:GetResourceShareAssociations",
+                "ram:ListResources"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

tests/assets/test-role-trust-policy.json

@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::$ROOT_ACCOUNT:user/tests-aws-network-topology-operator"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {}
+        }
+    ]
+}