2015-06-12 11:44:35 -05:00
package aws
import (
"fmt"
2015-08-06 09:47:35 -05:00
"testing"
2015-06-12 11:44:35 -05:00
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
2016-08-31 09:33:56 -05:00
"github.com/hashicorp/terraform/helper/acctest"
2015-06-12 11:44:35 -05:00
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
2015-06-18 09:53:52 -05:00
func TestAccAWSPolicyAttachment_basic ( t * testing . T ) {
2015-06-18 10:10:14 -05:00
var out iam . ListEntitiesForPolicyOutput
2015-06-17 09:56:33 -05:00
2016-08-31 09:33:56 -05:00
user1 := fmt . Sprintf ( "test-user-%d" , acctest . RandInt ( ) )
user2 := fmt . Sprintf ( "test-user-%d" , acctest . RandInt ( ) )
user3 := fmt . Sprintf ( "test-user-%d" , acctest . RandInt ( ) )
2015-06-17 09:56:33 -05:00
resource . Test ( t , resource . TestCase {
PreCheck : func ( ) { testAccPreCheck ( t ) } ,
Providers : testAccProviders ,
CheckDestroy : testAccCheckAWSPolicyAttachmentDestroy ,
Steps : [ ] resource . TestStep {
resource . TestStep {
2016-08-31 09:33:56 -05:00
Config : testAccAWSPolicyAttachConfig ( user1 ) ,
2015-06-17 09:56:33 -05:00
Check : resource . ComposeTestCheckFunc (
2015-08-06 09:47:35 -05:00
testAccCheckAWSPolicyAttachmentExists ( "aws_iam_policy_attachment.test-attach" , 3 , & out ) ,
2016-08-31 09:33:56 -05:00
testAccCheckAWSPolicyAttachmentAttributes ( [ ] string { user1 } , [ ] string { "test-role" } , [ ] string { "test-group" } , & out ) ,
2015-06-17 09:56:33 -05:00
) ,
} ,
resource . TestStep {
2016-08-31 09:33:56 -05:00
Config : testAccAWSPolicyAttachConfigUpdate ( user1 , user2 , user3 ) ,
2015-06-17 09:56:33 -05:00
Check : resource . ComposeTestCheckFunc (
2015-08-06 09:47:35 -05:00
testAccCheckAWSPolicyAttachmentExists ( "aws_iam_policy_attachment.test-attach" , 6 , & out ) ,
2016-08-31 09:33:56 -05:00
testAccCheckAWSPolicyAttachmentAttributes ( [ ] string { user3 , user3 } , [ ] string { "test-role2" , "test-role3" } , [ ] string { "test-group2" , "test-group3" } , & out ) ,
2015-06-17 09:56:33 -05:00
) ,
} ,
} ,
} )
}
2016-08-15 15:48:42 -05:00
func TestAccAWSPolicyAttachment_paginatedEntities ( t * testing . T ) {
var out iam . ListEntitiesForPolicyOutput
resource . Test ( t , resource . TestCase {
PreCheck : func ( ) { testAccPreCheck ( t ) } ,
Providers : testAccProviders ,
CheckDestroy : testAccCheckAWSPolicyAttachmentDestroy ,
Steps : [ ] resource . TestStep {
resource . TestStep {
2016-08-16 02:40:14 -05:00
Config : testAccAWSPolicyPaginatedAttachConfig ,
2016-08-15 15:48:42 -05:00
Check : resource . ComposeTestCheckFunc (
2016-08-16 02:40:14 -05:00
testAccCheckAWSPolicyAttachmentExists ( "aws_iam_policy_attachment.test-paginated-attach" , 101 , & out ) ,
2016-08-15 15:48:42 -05:00
) ,
} ,
} ,
} )
}
func testAccCheckAWSPolicyAttachmentDestroy ( s * terraform . State ) error {
2015-06-17 09:56:33 -05:00
return nil
}
2015-06-18 10:10:14 -05:00
func testAccCheckAWSPolicyAttachmentExists ( n string , c int64 , out * iam . ListEntitiesForPolicyOutput ) resource . TestCheckFunc {
2015-06-18 09:53:52 -05:00
return func ( s * terraform . State ) error {
rs , ok := s . RootModule ( ) . Resources [ n ]
if ! ok {
return fmt . Errorf ( "Not found: %s" , n )
}
2015-06-17 09:56:33 -05:00
2015-06-18 09:53:52 -05:00
if rs . Primary . ID == "" {
return fmt . Errorf ( "No policy name is set" )
}
2015-06-17 09:56:33 -05:00
2015-06-18 09:53:52 -05:00
conn := testAccProvider . Meta ( ) . ( * AWSClient ) . iamconn
arn := rs . Primary . Attributes [ "policy_arn" ]
resp , err := conn . GetPolicy ( & iam . GetPolicyInput {
2015-08-17 13:27:16 -05:00
PolicyArn : aws . String ( arn ) ,
2015-06-18 09:53:52 -05:00
} )
if err != nil {
return fmt . Errorf ( "Error: Policy (%s) not found" , n )
}
2015-06-18 10:10:14 -05:00
if c != * resp . Policy . AttachmentCount {
2015-06-18 09:53:52 -05:00
return fmt . Errorf ( "Error: Policy (%s) has wrong number of entities attached on initial creation" , n )
}
2015-06-18 10:10:14 -05:00
resp2 , err := conn . ListEntitiesForPolicy ( & iam . ListEntitiesForPolicyInput {
2015-08-17 13:27:16 -05:00
PolicyArn : aws . String ( arn ) ,
2015-06-18 09:53:52 -05:00
} )
if err != nil {
return fmt . Errorf ( "Error: Failed to get entities for Policy (%s)" , arn )
}
* out = * resp2
return nil
}
}
2016-08-15 15:48:42 -05:00
2015-06-18 09:53:52 -05:00
func testAccCheckAWSPolicyAttachmentAttributes ( users [ ] string , roles [ ] string , groups [ ] string , out * iam . ListEntitiesForPolicyOutput ) resource . TestCheckFunc {
return func ( s * terraform . State ) error {
2015-06-18 10:10:14 -05:00
uc := len ( users )
rc := len ( roles )
gc := len ( groups )
2015-06-18 09:53:52 -05:00
for _ , u := range users {
for _ , pu := range out . PolicyUsers {
if u == * pu . UserName {
uc --
}
}
}
for _ , r := range roles {
for _ , pr := range out . PolicyRoles {
2015-06-18 10:10:14 -05:00
if r == * pr . RoleName {
2015-06-18 09:53:52 -05:00
rc --
}
}
}
2015-08-06 09:47:35 -05:00
for _ , g := range groups {
2015-06-18 09:53:52 -05:00
for _ , pg := range out . PolicyGroups {
2015-06-18 10:10:14 -05:00
if g == * pg . GroupName {
2015-06-18 09:53:52 -05:00
gc --
}
}
}
if uc != 0 || rc != 0 || gc != 0 {
2015-10-08 07:48:04 -05:00
return fmt . Errorf ( "Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d" , len ( users ) , len ( users ) - uc , len ( roles ) , len ( roles ) - rc , len ( groups ) , len ( groups ) - gc )
2015-06-18 09:53:52 -05:00
}
2015-06-18 10:10:14 -05:00
return nil
2015-06-18 09:53:52 -05:00
}
2015-06-17 09:56:33 -05:00
}
2016-08-31 09:33:56 -05:00
func testAccAWSPolicyAttachConfig ( u1 string ) string {
return fmt . Sprintf ( `
2015-06-17 09:56:33 -05:00
resource "aws_iam_user" "user" {
2016-08-31 09:33:56 -05:00
name = "%s"
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_role" "role" {
2016-08-10 11:18:03 -05:00
name = "test-role"
assume_role_policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : "sts:AssumeRole" ,
"Principal" : {
"Service" : "ec2.amazonaws.com"
} ,
"Effect" : "Allow" ,
"Sid" : ""
}
]
}
EOF
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : [
"iam:ChangePassword"
] ,
"Resource" : "*" ,
"Effect" : "Allow"
}
]
}
EOF
}
2015-06-18 09:53:52 -05:00
resource "aws_iam_policy_attachment" "test-attach" {
2015-06-17 09:56:33 -05:00
name = "test-attachment"
users = [ "${aws_iam_user.user.name}" ]
roles = [ "${aws_iam_role.role.name}" ]
groups = [ "${aws_iam_group.group.name}" ]
policy_arn = "${aws_iam_policy.policy.arn}"
2016-08-31 09:33:56 -05:00
} ` , u1 )
2015-06-17 09:56:33 -05:00
}
2016-08-31 09:33:56 -05:00
func testAccAWSPolicyAttachConfigUpdate ( u1 , u2 , u3 string ) string {
return fmt . Sprintf ( `
2015-06-17 09:56:33 -05:00
resource "aws_iam_user" "user" {
2016-08-31 09:33:56 -05:00
name = "%s"
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_user" "user2" {
2016-08-31 09:33:56 -05:00
name = "%s"
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_user" "user3" {
2016-08-31 09:33:56 -05:00
name = "%s"
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_role" "role" {
2016-08-10 11:18:03 -05:00
name = "test-role"
assume_role_policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : "sts:AssumeRole" ,
"Principal" : {
"Service" : "ec2.amazonaws.com"
} ,
"Effect" : "Allow" ,
"Sid" : ""
}
]
2015-08-06 09:47:35 -05:00
}
2016-08-10 11:18:03 -05:00
EOF
}
2015-06-17 09:56:33 -05:00
resource "aws_iam_role" "role2" {
2016-08-10 11:18:03 -05:00
name = "test-role2"
assume_role_policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : "sts:AssumeRole" ,
"Principal" : {
"Service" : "ec2.amazonaws.com"
} ,
"Effect" : "Allow" ,
"Sid" : ""
}
]
}
EOF
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_role" "role3" {
2016-08-10 11:18:03 -05:00
name = "test-role3"
assume_role_policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : "sts:AssumeRole" ,
"Principal" : {
"Service" : "ec2.amazonaws.com"
} ,
"Effect" : "Allow" ,
"Sid" : ""
}
]
}
EOF
2015-06-17 09:56:33 -05:00
}
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_group" "group2" {
name = "test-group2"
}
resource "aws_iam_group" "group3" {
name = "test-group3"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : [
"iam:ChangePassword"
] ,
"Resource" : "*" ,
"Effect" : "Allow"
}
]
}
EOF
}
2015-06-12 11:44:35 -05:00
2015-06-18 09:53:52 -05:00
resource "aws_iam_policy_attachment" "test-attach" {
2015-06-17 09:56:33 -05:00
name = "test-attachment"
users = [
"${aws_iam_user.user2.name}" ,
"${aws_iam_user.user3.name}"
]
roles = [
"${aws_iam_role.role2.name}" ,
"${aws_iam_role.role3.name}"
]
groups = [
"${aws_iam_group.group2.name}" ,
"${aws_iam_group.group3.name}"
]
policy_arn = "${aws_iam_policy.policy.arn}"
2016-08-31 09:33:56 -05:00
} ` , u1 , u2 , u3 )
2015-06-17 09:56:33 -05:00
}
2016-08-15 15:48:42 -05:00
const testAccAWSPolicyPaginatedAttachConfig = `
resource "aws_iam_user" "user" {
count = 101
name = "${format(" paged - test - user - % d ", count.index + 1)}"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = << EOF
{
"Version" : "2012-10-17" ,
"Statement" : [
{
"Action" : [
"iam:ChangePassword"
] ,
"Resource" : "*" ,
"Effect" : "Allow"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "test-paginated-attach" {
name = "test-attachment"
users = [ "${aws_iam_user.user.*.name}" ]
policy_arn = "${aws_iam_policy.policy.arn}"
}
`
