Merge pull request #2395 from GrayCoder/master

Add resource "aws_iam_policy_attachment" to attach a managed policy to users, roles, or groups
2025-02-13 17:06:06 -06:00 · 2015-06-29 14:33:34 -05:00 · 2015-06-29 14:33:34 -05:00 · 791787047f
commit 791787047f
parent ddc266902b 28506c3750
5 changed files with 599 additions and 0 deletions
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@ -176,6 +176,7 @@ func Provider() terraform.ResourceProvider {
 			"aws_iam_group_membership":         resourceAwsIamGroupMembership(),
 			"aws_iam_instance_profile":         resourceAwsIamInstanceProfile(),
 			"aws_iam_policy":                   resourceAwsIamPolicy(),
+			"aws_iam_policy_attachment":        resourceAwsIamPolicyAttachment(),
 			"aws_iam_role_policy":              resourceAwsIamRolePolicy(),
 			"aws_iam_role":                     resourceAwsIamRole(),
 			"aws_iam_server_certificate":       resourceAwsIAMServerCertificate(),
--- a/builtin/providers/aws/resource_aws_iam_policy_attachment.go
+++ b/builtin/providers/aws/resource_aws_iam_policy_attachment.go
@ -0,0 +1,328 @@
+package aws
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsIamPolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsIamPolicyAttachmentCreate,
+		Read:   resourceAwsIamPolicyAttachmentRead,
+		Update: resourceAwsIamPolicyAttachmentUpdate,
+		Delete: resourceAwsIamPolicyAttachmentDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"users": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+			},
+			"roles": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+			},
+			"groups": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+			},
+			"policy_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsIamPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+
+	name := d.Get("name").(string)
+	arn := d.Get("policy_arn").(string)
+	users := expandStringList(d.Get("users").(*schema.Set).List())
+	roles := expandStringList(d.Get("roles").(*schema.Set).List())
+	groups := expandStringList(d.Get("groups").(*schema.Set).List())
+
+	if len(users) > 0 && len(roles) > 0 && len(groups) > 0 {
+		return fmt.Errorf("[WARN] No Users, Roles, or Groups specified for IAM Policy Attachment %s", name)
+	} else {
+		var userErr, roleErr, groupErr error
+		if users != nil {
+			userErr = attachPolicyToUsers(conn, users, arn)
+		}
+		if roles != nil {
+			roleErr = attachPolicyToRoles(conn, roles, arn)
+		}
+		if groups != nil {
+			groupErr = attachPolicyToGroups(conn, groups, arn)
+		}
+		if userErr != nil || roleErr != nil || groupErr != nil {
+			return composeErrors(fmt.Sprint("[WARN] Error attaching policy with IAM Policy Attachment ", name, ":"), userErr, roleErr, groupErr)
+		}
+	}
+	d.SetId(d.Get("name").(string))
+	return resourceAwsIamPolicyAttachmentRead(d, meta)
+}
+
+func resourceAwsIamPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	arn := d.Get("policy_arn").(string)
+	name := d.Get("name").(string)
+
+	_, err := conn.GetPolicy(&iam.GetPolicyInput{
+		PolicyARN: aws.String(arn),
+	})
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NoSuchIdentity" {
+				d.SetId("")
+				return nil
+			}
+		}
+		return err
+	}
+
+	policyEntities, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
+		PolicyARN: aws.String(arn),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	ul := make([]string, 0, len(policyEntities.PolicyUsers))
+	rl := make([]string, 0, len(policyEntities.PolicyRoles))
+	gl := make([]string, 0, len(policyEntities.PolicyGroups))
+
+	for _, u := range policyEntities.PolicyUsers {
+		ul = append(ul, *u.UserName)
+	}
+
+	for _, r := range policyEntities.PolicyRoles {
+		rl = append(rl, *r.RoleName)
+	}
+
+	for _, g := range policyEntities.PolicyGroups {
+		gl = append(gl, *g.GroupName)
+	}
+
+	userErr := d.Set("users", ul)
+	roleErr := d.Set("roles", rl)
+	groupErr := d.Set("groups", gl)
+
+	if userErr != nil || roleErr != nil || groupErr != nil {
+		return composeErrors(fmt.Sprint("[WARN} Error setting user, role, or group list from IAM Policy Attachment ", name, ":"), userErr, roleErr, groupErr)
+	}
+
+	return nil
+}
+func resourceAwsIamPolicyAttachmentUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	name := d.Get("name").(string)
+	var userErr, roleErr, groupErr error
+
+	if d.HasChange("users") {
+		userErr = updateUsers(conn, d, meta)
+	}
+	if d.HasChange("roles") {
+		roleErr = updateRoles(conn, d, meta)
+	}
+	if d.HasChange("groups") {
+		groupErr = updateGroups(conn, d, meta)
+	}
+	if userErr != nil || roleErr != nil || groupErr != nil {
+		return composeErrors(fmt.Sprint("[WARN] Error updating user, role, or group list from IAM Policy Attachment ", name, ":"), userErr, roleErr, groupErr)
+	}
+	return resourceAwsIamPolicyAttachmentRead(d, meta)
+}
+
+func resourceAwsIamPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	name := d.Get("name").(string)
+	arn := d.Get("policy_arn").(string)
+	users := expandStringList(d.Get("users").(*schema.Set).List())
+	roles := expandStringList(d.Get("roles").(*schema.Set).List())
+	groups := expandStringList(d.Get("groups").(*schema.Set).List())
+
+	var userErr, roleErr, groupErr error
+	if len(users) != 0 {
+		userErr = detachPolicyFromUsers(conn, users, arn)
+	}
+	if len(roles) != 0 {
+		roleErr = detachPolicyFromRoles(conn, roles, arn)
+	}
+	if len(groups) != 0 {
+		groupErr = detachPolicyFromGroups(conn, groups, arn)
+	}
+	if userErr != nil || roleErr != nil || groupErr != nil {
+		return composeErrors(fmt.Sprint("[WARN] Error removing user, role, or group list from IAM Policy Detach ", name, ":"), userErr, roleErr, groupErr)
+	}
+	return nil
+}
+
+func composeErrors(desc string, uErr error, rErr error, gErr error) error {
+	errMsg := fmt.Sprintf(desc)
+	errs := []error{uErr, rErr, gErr}
+	for _, e := range errs {
+		if e != nil {
+			errMsg = errMsg + "\n– " + e.Error()
+		}
+	}
+	return fmt.Errorf(errMsg)
+}
+
+func attachPolicyToUsers(conn *iam.IAM, users []*string, arn string) error {
+	for _, u := range users {
+		_, err := conn.AttachUserPolicy(&iam.AttachUserPolicyInput{
+			UserName:  u,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func attachPolicyToRoles(conn *iam.IAM, roles []*string, arn string) error {
+	for _, r := range roles {
+		_, err := conn.AttachRolePolicy(&iam.AttachRolePolicyInput{
+			RoleName:  r,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func attachPolicyToGroups(conn *iam.IAM, groups []*string, arn string) error {
+	for _, g := range groups {
+		_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
+			GroupName: g,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func updateUsers(conn *iam.IAM, d *schema.ResourceData, meta interface{}) error {
+	arn := d.Get("policy_arn").(string)
+	o, n := d.GetChange("users")
+	if o == nil {
+		o = new(schema.Set)
+	}
+	if n == nil {
+		n = new(schema.Set)
+	}
+	os := o.(*schema.Set)
+	ns := n.(*schema.Set)
+	remove := expandStringList(os.Difference(ns).List())
+	add := expandStringList(ns.Difference(os).List())
+
+	if rErr := detachPolicyFromUsers(conn, remove, arn); rErr != nil {
+		return rErr
+	}
+	if aErr := attachPolicyToUsers(conn, add, arn); aErr != nil {
+		return aErr
+	}
+	return nil
+}
+func updateRoles(conn *iam.IAM, d *schema.ResourceData, meta interface{}) error {
+	arn := d.Get("policy_arn").(string)
+	o, n := d.GetChange("roles")
+	if o == nil {
+		o = new(schema.Set)
+	}
+	if n == nil {
+		n = new(schema.Set)
+	}
+	os := o.(*schema.Set)
+	ns := n.(*schema.Set)
+	remove := expandStringList(os.Difference(ns).List())
+	add := expandStringList(ns.Difference(os).List())
+
+	if rErr := detachPolicyFromRoles(conn, remove, arn); rErr != nil {
+		return rErr
+	}
+	if aErr := attachPolicyToRoles(conn, add, arn); aErr != nil {
+		return aErr
+	}
+	return nil
+}
+func updateGroups(conn *iam.IAM, d *schema.ResourceData, meta interface{}) error {
+	arn := d.Get("policy_arn").(string)
+	o, n := d.GetChange("groups")
+	if o == nil {
+		o = new(schema.Set)
+	}
+	if n == nil {
+		n = new(schema.Set)
+	}
+	os := o.(*schema.Set)
+	ns := n.(*schema.Set)
+	remove := expandStringList(os.Difference(ns).List())
+	add := expandStringList(ns.Difference(os).List())
+
+	if rErr := detachPolicyFromGroups(conn, remove, arn); rErr != nil {
+		return rErr
+	}
+	if aErr := attachPolicyToGroups(conn, add, arn); aErr != nil {
+		return aErr
+	}
+	return nil
+
+}
+func detachPolicyFromUsers(conn *iam.IAM, users []*string, arn string) error {
+	for _, u := range users {
+		_, err := conn.DetachUserPolicy(&iam.DetachUserPolicyInput{
+			UserName:  u,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func detachPolicyFromRoles(conn *iam.IAM, roles []*string, arn string) error {
+	for _, r := range roles {
+		_, err := conn.DetachRolePolicy(&iam.DetachRolePolicyInput{
+			RoleName:  r,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func detachPolicyFromGroups(conn *iam.IAM, groups []*string, arn string) error {
+	for _, g := range groups {
+		_, err := conn.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
+			GroupName: g,
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go
+++ b/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go
@ -0,0 +1,213 @@
+package aws
+
+import (
+	"fmt"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+	"testing"
+)
+
+func TestAccAWSPolicyAttachment_basic(t *testing.T) {
+	var out iam.ListEntitiesForPolicyOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSPolicyAttachConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 3, &out),
+					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user"}, []string{"test-role"}, []string{"test-group"}, &out),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSPolicyAttachConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attachment", 6, &out),
+					testAccCheckAWSPolicyAttachmentAttributes([]string{"test-user3", "test-user3"}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out),
+				),
+			},
+		},
+	})
+}
+func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error {
+
+	return nil
+}
+
+func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No policy name is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).iamconn
+		arn := rs.Primary.Attributes["policy_arn"]
+
+		resp, err := conn.GetPolicy(&iam.GetPolicyInput{
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return fmt.Errorf("Error: Policy (%s) not found", n)
+		}
+		if c != *resp.Policy.AttachmentCount {
+			return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n)
+		}
+		resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
+			PolicyARN: aws.String(arn),
+		})
+		if err != nil {
+			return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn)
+		}
+
+		*out = *resp2
+		return nil
+	}
+}
+func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		uc := len(users)
+		rc := len(roles)
+		gc := len(groups)
+
+		for _, u := range users {
+			for _, pu := range out.PolicyUsers {
+				if u == *pu.UserName {
+					uc--
+				}
+			}
+		}
+		for _, r := range roles {
+			for _, pr := range out.PolicyRoles {
+				if r == *pr.RoleName {
+					rc--
+				}
+			}
+		}
+		for _, g := range users {
+			for _, pg := range out.PolicyGroups {
+				if g == *pg.GroupName {
+					gc--
+				}
+			}
+		}
+		if uc != 0 || rc != 0 || gc != 0 {
+			return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), (len(users) - uc), len(roles), (len(roles) - rc), len(groups), (len(groups) - gc))
+		}
+		return nil
+	}
+}
+
+const testAccAWSPolicyAttachConfig = `
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+resource "aws_iam_role" "role" {
+    name = "test-role"
+}
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "test-attach" {
+    name = "test-attachment"
+    users = ["${aws_iam_user.user.name}"]
+    roles = ["${aws_iam_role.role.name}"]
+    groups = ["${aws_iam_group.group.name}"]
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+`
+
+const testAccAWSPolicyAttachConfigUpdate = `
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+resource "aws_iam_user" "user2" {
+    name = "test-user2"
+}
+resource "aws_iam_user" "user3" {
+    name = "test-user3"
+}
+resource "aws_iam_role" "role" {
+    name = "test-role"
+}
+resource "aws_iam_role" "role2" {
+    name = "test-role2"
+}
+resource "aws_iam_role" "role3" {
+    name = "test-role3"
+}
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+resource "aws_iam_group" "group2" {
+    name = "test-group2"
+}
+resource "aws_iam_group" "group3" {
+    name = "test-group3"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "test-attach" {
+    name = "test-attachment"
+    users = [
+        "${aws_iam_user.user2.name}",
+        "${aws_iam_user.user3.name}"
+    ]
+    roles = [
+        "${aws_iam_role.role2.name}",
+        "${aws_iam_role.role3.name}"
+    ]
+    groups = [
+        "${aws_iam_group.group2.name}",
+        "${aws_iam_group.group3.name}"
+    ]
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+`
--- a/website/source/docs/providers/aws/r/iam_policy_attachment.html.markdown
+++ b/website/source/docs/providers/aws/r/iam_policy_attachment.html.markdown
@ -0,0 +1,54 @@
+---
+layout: "aws"
+page_title: "AWS: aws_iam_policy_attachment"
+sidebar_current: "docs-aws-resource-iam-policy-attachment"
+description: |-
+  Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
+---
+
+# aws\_iam\_policy\_attachment
+
+Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
+
+```
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+resource "aws_iam_role" "role" {
+    name = "test-role"
+}
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = 	#omitted
+}
+
+resource "aws_iam_policy_attachment" "test-attach" {
+    name = "test-attachment"
+    users = ["${aws_iam_user.user.name}"]
+    roles = ["${aws_iam_role.role.name}"]
+    groups = ["${aws_iam_group.group.name}"]
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` 		(Required) - The name of the policy.
+* `users`		(Optional) - The user(s) the policy should be applied to
+* `roles		(Optional) - The role(s) the policy should be applied to`
+* `groups		(Optional) - The group(s) the policy should be applied to`
+* `policy_arn`	(Required) - The ARN of the policy you want to apply
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - The policy's ID.
+* `name` - The name of the policy.
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@ -123,6 +123,9 @@
 						<li<%= sidebar_current("docs-aws-resource-iam-policy") %>>
 							<a href="/docs/providers/aws/r/iam_policy.html">aws_iam_policy</a>
 						</li>
+						<li<%= sidebar_current("docs-aws-resource-iam-policy-attachment") %>>
+							<a href="/docs/providers/aws/r/iam_policy_attachment.html">aws_iam_policy_attachment</a>
+						</li>

 						<li<%= sidebar_current("docs-aws-resource-iam-role") %>>
 							<a href="/docs/providers/aws/r/iam_role.html">aws_iam_role</a>