github.com/adrian-bl/terraform@v0.7.0-rc2.0.20160705220747-de0a34fc3517/builtin/providers/aws/data_source_aws_iam_policy_document_test.go (about) 1 package aws 2 3 import ( 4 "testing" 5 6 "fmt" 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 ) 10 11 func TestAccAWSIAMPolicyDocument(t *testing.T) { 12 // This really ought to be able to be a unit test rather than an 13 // acceptance test, but just instantiating the AWS provider requires 14 // some AWS API calls, and so this needs valid AWS credentials to work. 15 resource.Test(t, resource.TestCase{ 16 PreCheck: func() { testAccPreCheck(t) }, 17 Providers: testAccProviders, 18 Steps: []resource.TestStep{ 19 resource.TestStep{ 20 Config: testAccAWSIAMPolicyDocumentConfig, 21 Check: resource.ComposeTestCheckFunc( 22 testAccCheckStateValue( 23 "data.aws_iam_policy_document.test", 24 "json", 25 testAccAWSIAMPolicyDocumentExpectedJSON, 26 ), 27 ), 28 }, 29 }, 30 }) 31 } 32 33 func testAccCheckStateValue(id, name, value string) resource.TestCheckFunc { 34 return func(s *terraform.State) error { 35 rs, ok := s.RootModule().Resources[id] 36 if !ok { 37 return fmt.Errorf("Not found: %s", id) 38 } 39 if rs.Primary.ID == "" { 40 return fmt.Errorf("No ID is set") 41 } 42 43 v := rs.Primary.Attributes[name] 44 if v != value { 45 return fmt.Errorf( 46 "Value for %s is %s, not %s", name, v, value) 47 } 48 49 return nil 50 } 51 } 52 53 var testAccAWSIAMPolicyDocumentConfig = ` 54 data "aws_iam_policy_document" "test" { 55 statement { 56 actions = [ 57 "s3:ListAllMyBuckets", 58 "s3:GetBucketLocation", 59 ] 60 resources = [ 61 "arn:aws:s3:::*", 62 ] 63 } 64 65 statement { 66 actions = [ 67 "s3:ListBucket", 68 ] 69 resources = [ 70 "arn:aws:s3:::foo", 71 ] 72 condition { 73 test = "StringLike" 74 variable = "s3:prefix" 75 values = [ 76 "", 77 "home/", 78 "home/&{aws:username}/", 79 ] 80 } 81 82 not_principals { 83 type = "AWS" 84 identifiers = ["arn:blahblah:example"] 85 } 86 } 87 88 statement { 89 actions = [ 90 "s3:*", 91 ] 92 resources = [ 93 "arn:aws:s3:::foo/home/&{aws:username}", 94 "arn:aws:s3:::foo/home/&{aws:username}/*", 95 ] 96 principals { 97 type = "AWS" 98 identifiers = ["arn:blahblah:example"] 99 } 100 } 101 102 statement { 103 effect = "Deny" 104 not_actions = ["s3:*"] 105 not_resources = ["arn:aws:s3:::*"] 106 } 107 108 } 109 ` 110 111 var testAccAWSIAMPolicyDocumentExpectedJSON = `{ 112 "Version": "2012-10-17", 113 "Statement": [ 114 { 115 "Effect": "Allow", 116 "Action": [ 117 "s3:GetBucketLocation", 118 "s3:ListAllMyBuckets" 119 ], 120 "Resource": [ 121 "arn:aws:s3:::*" 122 ] 123 }, 124 { 125 "Effect": "Allow", 126 "Action": [ 127 "s3:ListBucket" 128 ], 129 "Resource": [ 130 "arn:aws:s3:::foo" 131 ], 132 "NotPrincipal": { 133 "AWS": [ 134 "arn:blahblah:example" 135 ] 136 }, 137 "Condition": { 138 "StringLike": { 139 "s3:prefix": [ 140 "", 141 "home/", 142 "home/${aws:username}/" 143 ] 144 } 145 } 146 }, 147 { 148 "Effect": "Allow", 149 "Action": [ 150 "s3:*" 151 ], 152 "Resource": [ 153 "arn:aws:s3:::foo/home/${aws:username}/*", 154 "arn:aws:s3:::foo/home/${aws:username}" 155 ], 156 "Principal": { 157 "AWS": [ 158 "arn:blahblah:example" 159 ] 160 } 161 }, 162 { 163 "Effect": "Deny", 164 "NotAction": [ 165 "s3:*" 166 ], 167 "NotResource": [ 168 "arn:aws:s3:::*" 169 ] 170 } 171 ] 172 }`