1 files changed, 46 insertions, 1 deletions

diff --git a/spec/controllers/admin/clusters_controller_spec.rb b/spec/controllers/admin/clusters_controller_spec.rb
index 233710b9fc3..d3192593a78 100644
--- a/spec/controllers/admin/clusters_controller_spec.rb
+++ b/spec/controllers/admin/clusters_controller_spec.rb
@@ -73,7 +73,7 @@ describe Admin::ClustersController do
   end
 
   describe 'GET #new' do
-    def get_new(provider: 'gke')
+    def get_new(provider: 'gcp')
       get :new, params: { provider: provider }
     end
 
@@ -318,6 +318,51 @@ describe Admin::ClustersController do
     end
   end
 
+  describe 'POST authorize AWS role for EKS cluster' do
+    let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
+    let(:role_external_id) { '12345' }
+
+    let(:params) do
+      {
+        cluster: {
+          role_arn: role_arn,
+          role_external_id: role_external_id
+        }
+      }
+    end
+
+    def go
+      post :authorize_aws_role, params: params
+    end
+
+    it 'creates an Aws::Role record' do
+      expect { go }.to change { Aws::Role.count }
+
+      expect(response.status).to eq 201
+
+      role = Aws::Role.last
+      expect(role.user).to eq admin
+      expect(role.role_arn).to eq role_arn
+      expect(role.role_external_id).to eq role_external_id
+    end
+
+    context 'role cannot be created' do
+      let(:role_arn) { 'invalid-role' }
+
+      it 'does not create a record' do
+        expect { go }.not_to change { Aws::Role.count }
+
+        expect(response.status).to eq 422
+      end
+    end
+
+    describe 'security' do
+      it { expect { go }.to be_allowed_for(:admin) }
+      it { expect { go }.to be_denied_for(:user) }
+      it { expect { go }.to be_denied_for(:external) }
+    end
+  end
+
   describe 'GET #cluster_status' do
     let(:cluster) { create(:cluster, :providing_by_gcp, :instance) }