opentofu/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go

package aws

import (
	"fmt"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/iam"
	"github.com/hashicorp/terraform/helper/resource"
	"github.com/hashicorp/terraform/terraform"
	"testing"
)

func TestAccAWSPolicyAttachment_basic(t *testing.T) {
	var out iam.ListEntitiesForPolicyOutput

	resource.Test(t, resource.TestCase{
		PreCheck:     func() { testAccPreCheck(t) },
		Providers:    testAccProviders,
		CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,
		Steps: []resource.TestStep{
			resource.TestStep{
				Config: testAccAWSPolicyAttachConfig,
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 3, &out),
					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out),
				),
			},
			resource.TestStep{
				Config: testAccAWSPolicyAttachConfigUpdate,
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 6, &out),
					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out),
				),
			},
		},
	})
}
func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error {

	return nil
}

func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		rs, ok := s.RootModule().Resources[n]
		if !ok {
			return fmt.Errorf("Not found: %s", n)
		}

		if rs.Primary.ID == "" {
			return fmt.Errorf("No policy name is set")
		}

		conn := testAccProvider.Meta().(*AWSClient).iamconn
		arn := rs.Primary.Attributes["policy_arn"]

		resp, err := conn.GetPolicy(&iam.GetPolicyInput{
			PolicyARN: aws.String(arn),
		})
		if err != nil {
			return fmt.Errorf("Error: Policy (%s) not found", n)
		}
		if c != *resp.Policy.AttachmentCount {
			return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n)
		}
		resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
			PolicyARN: aws.String(arn),
		})
		if err != nil {
			return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn)
		}

		*out = *resp2
		return nil
	}
}
func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		uc := len(users)
		rc := len(roles)
		gc := len(groups)

		for _, u := range users {
			for _, pu := range out.PolicyUsers {
				if u == *pu.UserName {
					uc--
				}
			}
		}
		for _, r := range roles {
			for _, pr := range out.PolicyRoles {
				if r == *pr.RoleName {
					rc--
				}
			}
		}
		for _, g := range users {
			for _, pg := range out.PolicyGroups {
				if g == *pg.GroupName {
					gc--
				}
			}
		}
		if uc != 0 || rc != 0 || gc != 0 {
			return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), (len(users) - uc), len(roles), (len(roles) - rc), len(groups), (len(groups) - gc))
		}
		return nil
	}
}

const testAccAWSPolicyAttachConfig = `
resource "aws_iam_user" "user" {
    name = "test-user"
}
resource "aws_iam_role" "role" {
    name = "test-role"
}
resource "aws_iam_group" "group" {
    name = "test-group"
}

resource "aws_iam_policy" "policy" {
    name = "test-policy"
    description = "A test policy"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ChangePassword"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "test-attach" {
    name = "test-attachment"
    users = ["${aws_iam_user.user.name}"]
    roles = ["${aws_iam_role.role.name}"]
    groups = ["${aws_iam_group.group.name}"]
    policy_arn = "${aws_iam_policy.policy.arn}"
}
`

const testAccAWSPolicyAttachConfigUpdate = `
resource "aws_iam_user" "user" {
    name = "test-user"
}
resource "aws_iam_user" "user2" {
    name = "test-user2"
}
resource "aws_iam_user" "user3" {
    name = "test-user3"
}
resource "aws_iam_role" "role" {
    name = "test-role"
}
resource "aws_iam_role" "role2" {
    name = "test-role2"
}
resource "aws_iam_role" "role3" {
    name = "test-role3"
}
resource "aws_iam_group" "group" {
    name = "test-group"
}
resource "aws_iam_group" "group2" {
    name = "test-group2"
}
resource "aws_iam_group" "group3" {
    name = "test-group3"
}

resource "aws_iam_policy" "policy" {
    name = "test-policy"
    description = "A test policy"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ChangePassword"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "test-attach" {
    name = "test-attachment"
    users = [
        "${aws_iam_user.user2.name}",
        "${aws_iam_user.user3.name}"
    ]
    roles = [
        "${aws_iam_role.role2.name}",
        "${aws_iam_role.role3.name}"
    ]
    groups = [
        "${aws_iam_group.group2.name}",
        "${aws_iam_group.group3.name}"
    ]
    policy_arn = "${aws_iam_policy.policy.arn}"
}
`
commit create and delete with a start of test 2015-06-12 11:44:35 -05:00			`package aws`

			`import (`
			`"fmt"`
			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/service/iam"`
			`"github.com/hashicorp/terraform/helper/resource"`
			`"github.com/hashicorp/terraform/terraform"`
			`"testing"`
			`)`

rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`func TestAccAWSPolicyAttachment_basic(t *testing.T) {`
test works 2015-06-18 10:10:14 -05:00			`var out iam.ListEntitiesForPolicyOutput`
add works but need tests 2015-06-17 09:56:33 -05:00
			`resource.Test(t, resource.TestCase{`
			`PreCheck: func() { testAccPreCheck(t) },`
			`Providers: testAccProviders,`
			`CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,`
			`Steps: []resource.TestStep{`
			`resource.TestStep{`
			`Config: testAccAWSPolicyAttachConfig,`
			`Check: resource.ComposeTestCheckFunc(`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 3, &out),`
			`testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out),`
add works but need tests 2015-06-17 09:56:33 -05:00			`),`
			`},`
			`resource.TestStep{`
			`Config: testAccAWSPolicyAttachConfigUpdate,`
			`Check: resource.ComposeTestCheckFunc(`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 6, &out),`
			`testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out),`
add works but need tests 2015-06-17 09:56:33 -05:00			`),`
			`},`
			`},`
			`})`
			`}`
			`func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error {`

			`return nil`
			`}`

test works 2015-06-18 10:10:14 -05:00			`func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`return func(s *terraform.State) error {`
			`rs, ok := s.RootModule().Resources[n]`
			`if !ok {`
			`return fmt.Errorf("Not found: %s", n)`
			`}`
add works but need tests 2015-06-17 09:56:33 -05:00
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`if rs.Primary.ID == "" {`
			`return fmt.Errorf("No policy name is set")`
			`}`
add works but need tests 2015-06-17 09:56:33 -05:00
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`conn := testAccProvider.Meta().(*AWSClient).iamconn`
			`arn := rs.Primary.Attributes["policy_arn"]`

			`resp, err := conn.GetPolicy(&iam.GetPolicyInput{`
			`PolicyARN: aws.String(arn),`
			`})`
			`if err != nil {`
			`return fmt.Errorf("Error: Policy (%s) not found", n)`
			`}`
test works 2015-06-18 10:10:14 -05:00			`if c != *resp.Policy.AttachmentCount {`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n)`
			`}`
test works 2015-06-18 10:10:14 -05:00			`resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`PolicyARN: aws.String(arn),`
			`})`
			`if err != nil {`
			`return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn)`
			`}`

			`out = resp2`
			`return nil`
			`}`
			`}`
			`func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {`
			`return func(s *terraform.State) error {`
test works 2015-06-18 10:10:14 -05:00			`uc := len(users)`
			`rc := len(roles)`
			`gc := len(groups)`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00
			`for _, u := range users {`
			`for _, pu := range out.PolicyUsers {`
			`if u == *pu.UserName {`
			`uc--`
			`}`
			`}`
			`}`
			`for _, r := range roles {`
			`for _, pr := range out.PolicyRoles {`
test works 2015-06-18 10:10:14 -05:00			`if r == *pr.RoleName {`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`rc--`
			`}`
			`}`
			`}`
			`for _, g := range users {`
			`for _, pg := range out.PolicyGroups {`
test works 2015-06-18 10:10:14 -05:00			`if g == *pg.GroupName {`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`gc--`
			`}`
			`}`
			`}`
			`if uc != 0 \|\| rc != 0 \|\| gc != 0 {`
			`return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), (len(users) - uc), len(roles), (len(roles) - rc), len(groups), (len(groups) - gc))`
			`}`
test works 2015-06-18 10:10:14 -05:00			`return nil`
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`}`
add works but need tests 2015-06-17 09:56:33 -05:00			`}`

commit create and delete with a start of test 2015-06-12 11:44:35 -05:00			const testAccAWSPolicyAttachConfig = `
add works but need tests 2015-06-17 09:56:33 -05:00			`resource "aws_iam_user" "user" {`
			`name = "test-user"`
			`}`
			`resource "aws_iam_role" "role" {`
			`name = "test-role"`
			`}`
			`resource "aws_iam_group" "group" {`
			`name = "test-group"`
			`}`

			`resource "aws_iam_policy" "policy" {`
			`name = "test-policy"`
			`description = "A test policy"`
			`policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": [`
			`"iam:ChangePassword"`
			`],`
			`"Resource": "*",`
			`"Effect": "Allow"`
			`}`
			`]`
			`}`
			`EOF`
			`}`

rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`resource "aws_iam_policy_attachment" "test-attach" {`
add works but need tests 2015-06-17 09:56:33 -05:00			`name = "test-attachment"`
			`users = ["${aws_iam_user.user.name}"]`
			`roles = ["${aws_iam_role.role.name}"]`
			`groups = ["${aws_iam_group.group.name}"]`
			`policy_arn = "${aws_iam_policy.policy.arn}"`
			`}`
			`

			const testAccAWSPolicyAttachConfigUpdate = `
			`resource "aws_iam_user" "user" {`
			`name = "test-user"`
			`}`
			`resource "aws_iam_user" "user2" {`
			`name = "test-user2"`
			`}`
			`resource "aws_iam_user" "user3" {`
			`name = "test-user3"`
			`}`
			`resource "aws_iam_role" "role" {`
			`name = "test-role"`
			`}`
			`resource "aws_iam_role" "role2" {`
			`name = "test-role2"`
			`}`
			`resource "aws_iam_role" "role3" {`
			`name = "test-role3"`
			`}`
			`resource "aws_iam_group" "group" {`
			`name = "test-group"`
			`}`
			`resource "aws_iam_group" "group2" {`
			`name = "test-group2"`
			`}`
			`resource "aws_iam_group" "group3" {`
			`name = "test-group3"`
			`}`

			`resource "aws_iam_policy" "policy" {`
			`name = "test-policy"`
			`description = "A test policy"`
			`policy = <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": [`
			`"iam:ChangePassword"`
			`],`
			`"Resource": "*",`
			`"Effect": "Allow"`
			`}`
			`]`
			`}`
			`EOF`
			`}`
commit create and delete with a start of test 2015-06-12 11:44:35 -05:00
rename to more intuitive name and finish tests 2015-06-18 09:53:52 -05:00			`resource "aws_iam_policy_attachment" "test-attach" {`
add works but need tests 2015-06-17 09:56:33 -05:00			`name = "test-attachment"`
			`users = [`
			`"${aws_iam_user.user2.name}",`
			`"${aws_iam_user.user3.name}"`
			`]`
			`roles = [`
			`"${aws_iam_role.role2.name}",`
			`"${aws_iam_role.role3.name}"`
			`]`
			`groups = [`
			`"${aws_iam_group.group2.name}",`
			`"${aws_iam_group.group3.name}"`
			`]`
			`policy_arn = "${aws_iam_policy.policy.arn}"`
			`}`
commit create and delete with a start of test 2015-06-12 11:44:35 -05:00			`