tests: Add `iam_tags` to expected responses (#13150)

Update the AWS auth backend acceptance tests to account for the new
`iam_tags` field that comes back on responses.

* marked only tests requiring creds as acceptance

Renamed TestBackend_* to TestAcceptanceBackend_* if the test requires
AWS credentials. Otherwise left the name as TestBackend_* and set
`AcceptanceTest: false`.

* ensure generated names aren't too long

IAM roles and users have a 64 character limit, and adding Acceptance
to the test names was putting some over the length limit, so modified
generateUniqueName() to take a max length parameter and added
functions for each type of name generation (user, role, group).

builtin/logical/aws/backend_test.go

@@ -44,7 +44,7 @@ func getBackend(t *testing.T) logical.Backend {
 	return be
 }
 
-func TestBackend_basic(t *testing.T) {
+func TestAcceptanceBackend_basic(t *testing.T) {
 	t.Parallel()
 	logicaltest.Test(t, logicaltest.TestCase{
 		AcceptanceTest: true,
@@ -58,7 +58,7 @@ func TestBackend_basic(t *testing.T) {
 	})
 }
 
-func TestBackend_IamUserWithPermissionsBoundary(t *testing.T) {
+func TestAcceptanceBackend_IamUserWithPermissionsBoundary(t *testing.T) {
 	t.Parallel()
 	roleData := map[string]interface{}{
 		"credential_type":          iamUserCred,
@@ -77,15 +77,15 @@ func TestBackend_IamUserWithPermissionsBoundary(t *testing.T) {
 	})
 }
 
-func TestBackend_basicSTS(t *testing.T) {
+func TestAcceptanceBackend_basicSTS(t *testing.T) {
 	t.Parallel()
 	awsAccountID, err := getAccountID()
 	if err != nil {
 		t.Logf("Unable to retrive user via sts:GetCallerIdentity: %#v", err)
 		t.Skip("Could not determine AWS account ID from sts:GetCallerIdentity for acceptance tests, skipping")
 	}
-	roleName := generateUniqueName(t.Name())
-	userName := generateUniqueName(t.Name())
+	roleName := generateUniqueRoleName(t.Name())
+	userName := generateUniqueUserName(t.Name())
 	accessKey := &awsAccessKey{}
 	logicaltest.Test(t, logicaltest.TestCase{
 		AcceptanceTest: true,
@@ -126,7 +126,7 @@ func TestBackend_policyCrud(t *testing.T) {
 	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
-		AcceptanceTest: true,
+		AcceptanceTest: false,
 		LogicalBackend: getBackend(t),
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t),
@@ -871,6 +871,7 @@ func testAccStepReadPolicy(t *testing.T, name string, value string) logicaltest.
 				"user_path":                "",
 				"permissions_boundary_arn": "",
 				"iam_groups":               []string(nil),
+				"iam_tags":                 map[string]string(nil),
 			}
 			if !reflect.DeepEqual(resp.Data, expected) {
 				return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected)
@@ -955,7 +956,7 @@ func testAccStepWriteArnPolicyRef(t *testing.T, name string, arn string) logical
 	}
 }
 
-func TestBackend_basicPolicyArnRef(t *testing.T) {
+func TestAcceptanceBackend_basicPolicyArnRef(t *testing.T) {
 	t.Parallel()
 	logicaltest.Test(t, logicaltest.TestCase{
 		AcceptanceTest: true,
@@ -969,13 +970,13 @@ func TestBackend_basicPolicyArnRef(t *testing.T) {
 	})
 }
 
-func TestBackend_iamUserManagedInlinePoliciesGroups(t *testing.T) {
+func TestAcceptanceBackend_iamUserManagedInlinePoliciesGroups(t *testing.T) {
 	t.Parallel()
 	compacted, err := compactJSON(testDynamoPolicy)
 	if err != nil {
 		t.Fatalf("bad: %#v", err)
 	}
-	groupName := generateUniqueName(t.Name())
+	groupName := generateUniqueGroupName(t.Name())
 	roleData := map[string]interface{}{
 		"policy_document": testDynamoPolicy,
 		"policy_arns":     []string{ec2PolicyArn, iamPolicyArn},
@@ -993,6 +994,7 @@ func TestBackend_iamUserManagedInlinePoliciesGroups(t *testing.T) {
 		"user_path":                "/path/",
 		"permissions_boundary_arn": "",
 		"iam_groups":               []string{groupName},
+		"iam_tags":                 map[string]string(nil),
 	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -1017,10 +1019,10 @@ func TestBackend_iamUserManagedInlinePoliciesGroups(t *testing.T) {
 
 // Similar to TestBackend_iamUserManagedInlinePoliciesGroups() but managing
 // policies only with groups
-func TestBackend_iamUserGroups(t *testing.T) {
+func TestAcceptanceBackend_iamUserGroups(t *testing.T) {
 	t.Parallel()
-	group1Name := generateUniqueName(t.Name())
-	group2Name := generateUniqueName(t.Name())
+	group1Name := generateUniqueGroupName(t.Name())
+	group2Name := generateUniqueGroupName(t.Name())
 	roleData := map[string]interface{}{
 		"iam_groups":      []string{group1Name, group2Name},
 		"credential_type": iamUserCred,
@@ -1036,6 +1038,7 @@ func TestBackend_iamUserGroups(t *testing.T) {
 		"user_path":                "/path/",
 		"permissions_boundary_arn": "",
 		"iam_groups":               []string{group1Name, group2Name},
+		"iam_tags":                 map[string]string(nil),
 	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -1062,9 +1065,9 @@ func TestBackend_iamUserGroups(t *testing.T) {
 	})
 }
 
-func TestBackend_AssumedRoleWithPolicyDoc(t *testing.T) {
+func TestAcceptanceBackend_AssumedRoleWithPolicyDoc(t *testing.T) {
 	t.Parallel()
-	roleName := generateUniqueName(t.Name())
+	roleName := generateUniqueRoleName(t.Name())[:64]
 	// This looks a bit curious. The policy document and the role document act
 	// as a logical intersection of policies. The role allows ec2:Describe*
 	// (among other permissions). This policy allows everything BUT
@@ -1113,9 +1116,9 @@ func TestBackend_AssumedRoleWithPolicyDoc(t *testing.T) {
 	})
 }
 
-func TestBackend_AssumedRoleWithPolicyARN(t *testing.T) {
+func TestAcceptanceBackend_AssumedRoleWithPolicyARN(t *testing.T) {
 	t.Parallel()
-	roleName := generateUniqueName(t.Name())
+	roleName := generateUniqueRoleName(t.Name())
 
 	awsAccountID, err := getAccountID()
 	if err != nil {
@@ -1148,10 +1151,10 @@ func TestBackend_AssumedRoleWithPolicyARN(t *testing.T) {
 	})
 }
 
-func TestBackend_AssumedRoleWithGroups(t *testing.T) {
+func TestAcceptanceBackend_AssumedRoleWithGroups(t *testing.T) {
 	t.Parallel()
-	roleName := generateUniqueName(t.Name())
-	groupName := generateUniqueName(t.Name())
+	roleName := generateUniqueRoleName(t.Name())
+	groupName := generateUniqueGroupName(t.Name())
 	// This looks a bit curious. The policy document and the role document act
 	// as a logical intersection of policies. The role allows ec2:Describe*
 	// (among other permissions). This policy allows everything BUT
@@ -1205,9 +1208,9 @@ func TestBackend_AssumedRoleWithGroups(t *testing.T) {
 	})
 }
 
-func TestBackend_FederationTokenWithPolicyARN(t *testing.T) {
+func TestAcceptanceBackend_FederationTokenWithPolicyARN(t *testing.T) {
 	t.Parallel()
-	userName := generateUniqueName(t.Name())
+	userName := generateUniqueUserName(t.Name())
 	accessKey := &awsAccessKey{}
 
 	roleData := map[string]interface{}{
@@ -1236,10 +1239,10 @@ func TestBackend_FederationTokenWithPolicyARN(t *testing.T) {
 	})
 }
 
-func TestBackend_FederationTokenWithGroups(t *testing.T) {
+func TestAcceptanceBackend_FederationTokenWithGroups(t *testing.T) {
 	t.Parallel()
-	userName := generateUniqueName(t.Name())
-	groupName := generateUniqueName(t.Name())
+	userName := generateUniqueUserName(t.Name())
+	groupName := generateUniqueGroupName(t.Name())
 	accessKey := &awsAccessKey{}
 
 	// IAM policy where Statement is a single element, not a list
@@ -1286,9 +1289,9 @@ func TestBackend_FederationTokenWithGroups(t *testing.T) {
 	})
 }
 
-func TestBackend_RoleDefaultSTSTTL(t *testing.T) {
+func TestAcceptanceBackend_RoleDefaultSTSTTL(t *testing.T) {
 	t.Parallel()
-	roleName := generateUniqueName(t.Name())
+	roleName := generateUniqueRoleName(t.Name())
 	minAwsAssumeRoleDuration := 900
 	awsAccountID, err := getAccountID()
 	if err != nil {
@@ -1324,7 +1327,7 @@ func TestBackend_RoleDefaultSTSTTL(t *testing.T) {
 func TestBackend_policyArnCrud(t *testing.T) {
 	t.Parallel()
 	logicaltest.Test(t, logicaltest.TestCase{
-		AcceptanceTest: true,
+		AcceptanceTest: false,
 		LogicalBackend: getBackend(t),
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t),
@@ -1359,6 +1362,7 @@ func testAccStepReadArnPolicy(t *testing.T, name string, value string) logicalte
 				"user_path":                "",
 				"permissions_boundary_arn": "",
 				"iam_groups":               []string(nil),
+				"iam_tags":                 map[string]string(nil),
 			}
 			if !reflect.DeepEqual(resp.Data, expected) {
 				return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected)
@@ -1382,7 +1386,7 @@ func testAccStepWriteArnRoleRef(t *testing.T, vaultRoleName, awsRoleName, awsAcc
 func TestBackend_iamGroupsCrud(t *testing.T) {
 	t.Parallel()
 	logicaltest.Test(t, logicaltest.TestCase{
-		AcceptanceTest: true,
+		AcceptanceTest: false,
 		LogicalBackend: getBackend(t),
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t),
@@ -1428,6 +1432,7 @@ func testAccStepReadIamGroups(t *testing.T, name string, groups []string) logica
 				"user_path":                "",
 				"permissions_boundary_arn": "",
 				"iam_groups":               groups,
+				"iam_tags":                 map[string]string(nil),
 			}
 			if !reflect.DeepEqual(resp.Data, expected) {
 				return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected)
@@ -1440,7 +1445,7 @@ func testAccStepReadIamGroups(t *testing.T, name string, groups []string) logica
 
 func TestBackend_iamTagsCrud(t *testing.T) {
 	logicaltest.Test(t, logicaltest.TestCase{
-		AcceptanceTest: true,
+		AcceptanceTest: false,
 		LogicalBackend: getBackend(t),
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t),
@@ -1497,8 +1502,24 @@ func testAccStepReadIamTags(t *testing.T, name string, tags map[string]string) l
 	}
 }
 
-func generateUniqueName(prefix string) string {
-	return testhelpers.RandomWithPrefix(prefix)
+func generateUniqueRoleName(prefix string) string {
+	return generateUniqueName(prefix, 64)
+}
+
+func generateUniqueUserName(prefix string) string {
+	return generateUniqueName(prefix, 64)
+}
+
+func generateUniqueGroupName(prefix string) string {
+	return generateUniqueName(prefix, 128)
+}
+
+func generateUniqueName(prefix string, maxLength int) string {
+	name := testhelpers.RandomWithPrefix(prefix)
+	if len(name) > maxLength {
+		return name[:maxLength]
+	}
+	return name
 }
 
 type awsAccessKey struct {