opentofu/builtin/providers/aws/resource_aws_iam_policy_attach.go

186 lines
5.8 KiB
Go
Raw Normal View History

package aws
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceAwsIamPolicyAttach() *schema.Resource {
return &schema.Resource{
Create: resourceAwsIamPolicyAttachCreate,
Read: resourceAwsIamPolicyAttachRead,
Update: resourceAwsIamPolicyAttachUpdate,
Delete: resourceAwsIamPolicyAttachDelete,
Schema: map[]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"users": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"roles": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"groups": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"arn": &schema.Schema{
Type: schema.TypeString,
Required: true,
},
},
}
}
func resourceAwsIamPolicyAttachCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
name := d.Get("name").(string)
arn := d.Get("arn").(string)
users := expandStringList(d.Get("users").(*schema.Set).List())
roles := expandStringList(d.Get("roles").(*schema.Set).List())
groups := expandStringList(d.Get("groups").(*schema.Set).List())
if users == nil && roles == nil && groups == nil {
return fmt.Errorf("[WARN] No Users, Roles, or Groups specified for %s", d.Get("name").(string))
}
else {
var userErr, roleErr, groupErr error
if users != nil {
userErr = attachPolicyToUsers(conn, users, arn)
}
if roles != nil {
roleErr = attachPolicyToRoles(conn, roles, arn)
}
if groups != nil {
groupErr = attachPolicyToGroups(conn, groups, arn)
}
if userErr != nil || roleErr != nil || groupErr != nil {
return fmt.Errorf("[WARN] Error attaching policy with IAM Policy Attach (%s), error:\n users - %v\n roles - %v\n groups - %v", name, userErr, roleErr, groupErr)
}
}
return resourceAwsIamPolicyAttachRead(d, meta)
}
func resourceAwsIamPolicyAttachRead(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
users := expandStringList(d.Get("users").(*schema.Set).List())
roles := expandStringList(d.Get("roles").(*schema.Set).List())
groups := expandStringList(d.Get("groups").(*schema.Set).List())
return nil
}
func resourceAwsIamPolicyAttachUpdate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
return nil
}
func resourceAwsIamPolicyAttachDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).iamconn
name := d.Get("name").(string)
arn := d.Id()
users := expandStringList(d.Get("users").(*schema.Set).List())
roles := expandStringList(d.Get("roles").(*schema.Set).List())
groups := expandStringList(d.Get("groups").(*schema.Set).List())
var userErr, roleErr, groupErr error
if users != nil {
userErr = detachPolicyFromUsers(conn, users, arn)
}
if roles != nil {
roleErr = detachPolicyFromRoles(conn, roles, arn)
}
if groups != nil {
groupErr = detachPolicyFromGroups(conn, groups, arn)
}
if userErr != nil || roleErr != nil || groupErr != nil {
return fmt.Errorf("Error detaching policy with IAM Policy Attach (%s), error:\n users - %v\n roles - %v\ groups - %v", name, userErr, roleErr, groupErr)
}
return nil
}
func attachPolicyToUsers (conn *iam.IAM, users []*string, arn string) {
for _, u := range users {
_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicy{
GroupName: u,
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
}
return nil
}
func attachPolicyToRoles (conn *iam.IAM, roles []*string, arn string) {
for _, r := range roles {
_, err := conn.AttachRolePolicy(&iam.AttachRolePolicy{
RoleName: u,
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
}
return nil
}
func attachPolicyToGroups (conn *iam.IAM, groups []*string, arn string) {
for _, g := range groups {
_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicy{
GroupName: g,
PolicyArn: aws.String(arn),
})
if err != nil {
return err
}
}
return nil
}
func detachPolicyFromUsers(conn *iam.IAM, users []*string, arn string) {
for _, u := range users {
_, err := conn.DetachUserPolicy(&iam.DetachUserPolicy{
UserName: u,
PolicyArn: aws.String(arn),
}
if err != nil {
return err
}
}
return nil
}
func detachPolicyFromRoles(conn *iam.IAM, roles []*string, arn string) {
for _, r := range roles {
_, err := conn.DetachRolePolicy(&iam.DetachRolePolicy{
RoleName: r,
PolicyArn: aws.String(arn),
}
if err != nil {
return err
}
}
return nil
}
func detachPolicyFromGroups(conn *iam.IAM, groups []*string, arn string) {
for _, g := range groups {
_, err := conn.DetachGroupPolicy(&iam.DetachGroupPolicy{
GroupName: g,
PolicyArn: aws.String(arn),
}
if err != nil {
return err
}
}
return nil
}