mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-27 00:46:25 -06:00
186 lines
5.8 KiB
Go
186 lines
5.8 KiB
Go
|
package aws
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"github.com/aws/aws-sdk-go/aws"
|
||
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
||
|
"github.com/aws/aws-sdk-go/service/iam"
|
||
|
"github.com/hashicorp/terraform/helper/schema"
|
||
|
)
|
||
|
|
||
|
func resourceAwsIamPolicyAttach() *schema.Resource {
|
||
|
return &schema.Resource{
|
||
|
Create: resourceAwsIamPolicyAttachCreate,
|
||
|
Read: resourceAwsIamPolicyAttachRead,
|
||
|
Update: resourceAwsIamPolicyAttachUpdate,
|
||
|
Delete: resourceAwsIamPolicyAttachDelete,
|
||
|
|
||
|
Schema: map[]*schema.Schema{
|
||
|
"name": &schema.Schema{
|
||
|
Type: schema.TypeString,
|
||
|
Required: true,
|
||
|
ForceNew: true,
|
||
|
},
|
||
|
"users": &schema.Schema{
|
||
|
Type: schema.TypeSet,
|
||
|
Optional: true,
|
||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||
|
},
|
||
|
"roles": &schema.Schema{
|
||
|
Type: schema.TypeSet,
|
||
|
Optional: true,
|
||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||
|
},
|
||
|
"groups": &schema.Schema{
|
||
|
Type: schema.TypeSet,
|
||
|
Optional: true,
|
||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||
|
},
|
||
|
"arn": &schema.Schema{
|
||
|
Type: schema.TypeString,
|
||
|
Required: true,
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func resourceAwsIamPolicyAttachCreate(d *schema.ResourceData, meta interface{}) error {
|
||
|
conn := meta.(*AWSClient).iamconn
|
||
|
|
||
|
name := d.Get("name").(string)
|
||
|
arn := d.Get("arn").(string)
|
||
|
users := expandStringList(d.Get("users").(*schema.Set).List())
|
||
|
roles := expandStringList(d.Get("roles").(*schema.Set).List())
|
||
|
groups := expandStringList(d.Get("groups").(*schema.Set).List())
|
||
|
|
||
|
if users == nil && roles == nil && groups == nil {
|
||
|
return fmt.Errorf("[WARN] No Users, Roles, or Groups specified for %s", d.Get("name").(string))
|
||
|
}
|
||
|
else {
|
||
|
var userErr, roleErr, groupErr error
|
||
|
if users != nil {
|
||
|
userErr = attachPolicyToUsers(conn, users, arn)
|
||
|
}
|
||
|
if roles != nil {
|
||
|
roleErr = attachPolicyToRoles(conn, roles, arn)
|
||
|
}
|
||
|
if groups != nil {
|
||
|
groupErr = attachPolicyToGroups(conn, groups, arn)
|
||
|
}
|
||
|
if userErr != nil || roleErr != nil || groupErr != nil {
|
||
|
return fmt.Errorf("[WARN] Error attaching policy with IAM Policy Attach (%s), error:\n users - %v\n roles - %v\n groups - %v", name, userErr, roleErr, groupErr)
|
||
|
}
|
||
|
}
|
||
|
return resourceAwsIamPolicyAttachRead(d, meta)
|
||
|
}
|
||
|
func resourceAwsIamPolicyAttachRead(d *schema.ResourceData, meta interface{}) error {
|
||
|
conn := meta.(*AWSClient).iamconn
|
||
|
users := expandStringList(d.Get("users").(*schema.Set).List())
|
||
|
roles := expandStringList(d.Get("roles").(*schema.Set).List())
|
||
|
groups := expandStringList(d.Get("groups").(*schema.Set).List())
|
||
|
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
func resourceAwsIamPolicyAttachUpdate(d *schema.ResourceData, meta interface{}) error {
|
||
|
conn := meta.(*AWSClient).iamconn
|
||
|
|
||
|
return nil
|
||
|
}
|
||
|
func resourceAwsIamPolicyAttachDelete(d *schema.ResourceData, meta interface{}) error {
|
||
|
conn := meta.(*AWSClient).iamconn
|
||
|
name := d.Get("name").(string)
|
||
|
arn := d.Id()
|
||
|
users := expandStringList(d.Get("users").(*schema.Set).List())
|
||
|
roles := expandStringList(d.Get("roles").(*schema.Set).List())
|
||
|
groups := expandStringList(d.Get("groups").(*schema.Set).List())
|
||
|
|
||
|
var userErr, roleErr, groupErr error
|
||
|
if users != nil {
|
||
|
userErr = detachPolicyFromUsers(conn, users, arn)
|
||
|
}
|
||
|
if roles != nil {
|
||
|
roleErr = detachPolicyFromRoles(conn, roles, arn)
|
||
|
}
|
||
|
if groups != nil {
|
||
|
groupErr = detachPolicyFromGroups(conn, groups, arn)
|
||
|
}
|
||
|
if userErr != nil || roleErr != nil || groupErr != nil {
|
||
|
return fmt.Errorf("Error detaching policy with IAM Policy Attach (%s), error:\n users - %v\n roles - %v\ groups - %v", name, userErr, roleErr, groupErr)
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
func attachPolicyToUsers (conn *iam.IAM, users []*string, arn string) {
|
||
|
for _, u := range users {
|
||
|
_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicy{
|
||
|
GroupName: u,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
})
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
func attachPolicyToRoles (conn *iam.IAM, roles []*string, arn string) {
|
||
|
for _, r := range roles {
|
||
|
_, err := conn.AttachRolePolicy(&iam.AttachRolePolicy{
|
||
|
RoleName: u,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
})
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
|
||
|
}
|
||
|
func attachPolicyToGroups (conn *iam.IAM, groups []*string, arn string) {
|
||
|
for _, g := range groups {
|
||
|
_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicy{
|
||
|
GroupName: g,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
})
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
func detachPolicyFromUsers(conn *iam.IAM, users []*string, arn string) {
|
||
|
for _, u := range users {
|
||
|
_, err := conn.DetachUserPolicy(&iam.DetachUserPolicy{
|
||
|
UserName: u,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
}
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
func detachPolicyFromRoles(conn *iam.IAM, roles []*string, arn string) {
|
||
|
for _, r := range roles {
|
||
|
_, err := conn.DetachRolePolicy(&iam.DetachRolePolicy{
|
||
|
RoleName: r,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
}
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
func detachPolicyFromGroups(conn *iam.IAM, groups []*string, arn string) {
|
||
|
for _, g := range groups {
|
||
|
_, err := conn.DetachGroupPolicy(&iam.DetachGroupPolicy{
|
||
|
GroupName: g,
|
||
|
PolicyArn: aws.String(arn),
|
||
|
}
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|