github.com/bradfeehan/terraform@v0.7.0-rc3.0.20170529055808-34b45c5ad841/builtin/providers/aws/resource_aws_iam_role_policy_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "regexp" 6 "testing" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/aws/awserr" 10 "github.com/aws/aws-sdk-go/service/iam" 11 "github.com/hashicorp/terraform/helper/acctest" 12 "github.com/hashicorp/terraform/helper/resource" 13 "github.com/hashicorp/terraform/terraform" 14 ) 15 16 func TestAccAWSIAMRolePolicy_basic(t *testing.T) { 17 role := acctest.RandString(10) 18 policy1 := acctest.RandString(10) 19 policy2 := acctest.RandString(10) 20 21 resource.Test(t, resource.TestCase{ 22 PreCheck: func() { testAccPreCheck(t) }, 23 Providers: testAccProviders, 24 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 25 Steps: []resource.TestStep{ 26 { 27 Config: testAccIAMRolePolicyConfig(role, policy1), 28 Check: resource.ComposeTestCheckFunc( 29 testAccCheckIAMRolePolicy( 30 "aws_iam_role.role", 31 "aws_iam_role_policy.foo", 32 ), 33 ), 34 }, 35 { 36 Config: testAccIAMRolePolicyConfigUpdate(role, policy1, policy2), 37 Check: resource.ComposeTestCheckFunc( 38 testAccCheckIAMRolePolicy( 39 "aws_iam_role.role", 40 "aws_iam_role_policy.bar", 41 ), 42 ), 43 }, 44 }, 45 }) 46 } 47 48 func TestAccAWSIAMRolePolicy_namePrefix(t *testing.T) { 49 role := acctest.RandString(10) 50 51 resource.Test(t, resource.TestCase{ 52 PreCheck: func() { testAccPreCheck(t) }, 53 IDRefreshName: "aws_iam_role_policy.test", 54 Providers: testAccProviders, 55 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 56 Steps: []resource.TestStep{ 57 { 58 Config: testAccIAMRolePolicyConfig_namePrefix(role), 59 Check: resource.ComposeTestCheckFunc( 60 testAccCheckIAMRolePolicy( 61 "aws_iam_role.test", 62 "aws_iam_role_policy.test", 63 ), 64 ), 65 }, 66 }, 67 }) 68 } 69 70 func TestAccAWSIAMRolePolicy_generatedName(t *testing.T) { 71 role := acctest.RandString(10) 72 73 resource.Test(t, resource.TestCase{ 74 PreCheck: func() { testAccPreCheck(t) }, 75 IDRefreshName: "aws_iam_role_policy.test", 76 Providers: testAccProviders, 77 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 78 Steps: []resource.TestStep{ 79 { 80 Config: testAccIAMRolePolicyConfig_generatedName(role), 81 Check: resource.ComposeTestCheckFunc( 82 testAccCheckIAMRolePolicy( 83 "aws_iam_role.test", 84 "aws_iam_role_policy.test", 85 ), 86 ), 87 }, 88 }, 89 }) 90 } 91 92 func TestAccAWSIAMRolePolicy_invalidJSON(t *testing.T) { 93 role := acctest.RandString(10) 94 95 resource.Test(t, resource.TestCase{ 96 PreCheck: func() { testAccPreCheck(t) }, 97 Providers: testAccProviders, 98 CheckDestroy: testAccCheckIAMRolePolicyDestroy, 99 Steps: []resource.TestStep{ 100 { 101 Config: testAccIAMRolePolicyConfig_invalidJSON(role), 102 ExpectError: regexp.MustCompile("invalid JSON"), 103 }, 104 }, 105 }) 106 } 107 108 func testAccCheckIAMRolePolicyDestroy(s *terraform.State) error { 109 iamconn := testAccProvider.Meta().(*AWSClient).iamconn 110 111 for _, rs := range s.RootModule().Resources { 112 if rs.Type != "aws_iam_role_policy" { 113 continue 114 } 115 116 role, name, err := resourceAwsIamRolePolicyParseId(rs.Primary.ID) 117 if err != nil { 118 return err 119 } 120 121 request := &iam.GetRolePolicyInput{ 122 PolicyName: aws.String(name), 123 RoleName: aws.String(role), 124 } 125 126 getResp, err := iamconn.GetRolePolicy(request) 127 if err != nil { 128 if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { 129 // none found, that's good 130 return nil 131 } 132 return fmt.Errorf("Error reading IAM policy %s from role %s: %s", name, role, err) 133 } 134 135 if getResp != nil { 136 return fmt.Errorf("Found IAM Role, expected none: %s", getResp) 137 } 138 } 139 140 return nil 141 } 142 143 func testAccCheckIAMRolePolicy( 144 iamRoleResource string, 145 iamRolePolicyResource string) resource.TestCheckFunc { 146 return func(s *terraform.State) error { 147 rs, ok := s.RootModule().Resources[iamRoleResource] 148 if !ok { 149 return fmt.Errorf("Not Found: %s", iamRoleResource) 150 } 151 152 if rs.Primary.ID == "" { 153 return fmt.Errorf("No ID is set") 154 } 155 156 policy, ok := s.RootModule().Resources[iamRolePolicyResource] 157 if !ok { 158 return fmt.Errorf("Not Found: %s", iamRolePolicyResource) 159 } 160 161 iamconn := testAccProvider.Meta().(*AWSClient).iamconn 162 role, name, err := resourceAwsIamRolePolicyParseId(policy.Primary.ID) 163 if err != nil { 164 return err 165 } 166 167 _, err = iamconn.GetRolePolicy(&iam.GetRolePolicyInput{ 168 RoleName: aws.String(role), 169 PolicyName: aws.String(name), 170 }) 171 if err != nil { 172 return err 173 } 174 175 return nil 176 } 177 } 178 179 func testAccIAMRolePolicyConfig(role, policy1 string) string { 180 return fmt.Sprintf(` 181 resource "aws_iam_role" "role" { 182 name = "tf_test_role_%s" 183 path = "/" 184 assume_role_policy = <<EOF 185 { 186 "Version": "2012-10-17", 187 "Statement": [ 188 { 189 "Action": "sts:AssumeRole", 190 "Principal": { 191 "Service": "ec2.amazonaws.com" 192 }, 193 "Effect": "Allow", 194 "Sid": "" 195 } 196 ] 197 } 198 EOF 199 } 200 201 resource "aws_iam_role_policy" "foo" { 202 name = "tf_test_policy_%s" 203 role = "${aws_iam_role.role.name}" 204 policy = <<EOF 205 { 206 "Version": "2012-10-17", 207 "Statement": { 208 "Effect": "Allow", 209 "Action": "*", 210 "Resource": "*" 211 } 212 } 213 EOF 214 } 215 `, role, policy1) 216 } 217 218 func testAccIAMRolePolicyConfig_namePrefix(role string) string { 219 return fmt.Sprintf(` 220 resource "aws_iam_role" "test" { 221 name = "tf_test_role_%s" 222 path = "/" 223 assume_role_policy = <<EOF 224 { 225 "Version": "2012-10-17", 226 "Statement": [ 227 { 228 "Action": "sts:AssumeRole", 229 "Principal": { 230 "Service": "ec2.amazonaws.com" 231 }, 232 "Effect": "Allow", 233 "Sid": "" 234 } 235 ] 236 } 237 EOF 238 } 239 240 resource "aws_iam_role_policy" "test" { 241 name_prefix = "tf_test_policy_" 242 role = "${aws_iam_role.test.name}" 243 policy = <<EOF 244 { 245 "Version": "2012-10-17", 246 "Statement": { 247 "Effect": "Allow", 248 "Action": "*", 249 "Resource": "*" 250 } 251 } 252 EOF 253 } 254 `, role) 255 } 256 257 func testAccIAMRolePolicyConfig_generatedName(role string) string { 258 return fmt.Sprintf(` 259 resource "aws_iam_role" "test" { 260 name = "tf_test_role_%s" 261 path = "/" 262 assume_role_policy = <<EOF 263 { 264 "Version": "2012-10-17", 265 "Statement": [ 266 { 267 "Action": "sts:AssumeRole", 268 "Principal": { 269 "Service": "ec2.amazonaws.com" 270 }, 271 "Effect": "Allow", 272 "Sid": "" 273 } 274 ] 275 } 276 EOF 277 } 278 279 resource "aws_iam_role_policy" "test" { 280 role = "${aws_iam_role.test.name}" 281 policy = <<EOF 282 { 283 "Version": "2012-10-17", 284 "Statement": { 285 "Effect": "Allow", 286 "Action": "*", 287 "Resource": "*" 288 } 289 } 290 EOF 291 } 292 `, role) 293 } 294 295 func testAccIAMRolePolicyConfigUpdate(role, policy1, policy2 string) string { 296 return fmt.Sprintf(` 297 resource "aws_iam_role" "role" { 298 name = "tf_test_role_%s" 299 path = "/" 300 assume_role_policy = <<EOF 301 { 302 "Version": "2012-10-17", 303 "Statement": [ 304 { 305 "Action": "sts:AssumeRole", 306 "Principal": { 307 "Service": "ec2.amazonaws.com" 308 }, 309 "Effect": "Allow", 310 "Sid": "" 311 } 312 ] 313 } 314 EOF 315 } 316 317 resource "aws_iam_role_policy" "foo" { 318 name = "tf_test_policy_%s" 319 role = "${aws_iam_role.role.name}" 320 policy = <<EOF 321 { 322 "Version": "2012-10-17", 323 "Statement": { 324 "Effect": "Allow", 325 "Action": "*", 326 "Resource": "*" 327 } 328 } 329 EOF 330 } 331 332 resource "aws_iam_role_policy" "bar" { 333 name = "tf_test_policy_2_%s" 334 role = "${aws_iam_role.role.name}" 335 policy = <<EOF 336 { 337 "Version": "2012-10-17", 338 "Statement": { 339 "Effect": "Allow", 340 "Action": "*", 341 "Resource": "*" 342 } 343 } 344 EOF 345 } 346 `, role, policy1, policy2) 347 } 348 349 func testAccIAMRolePolicyConfig_invalidJSON(role string) string { 350 return fmt.Sprintf(` 351 resource "aws_iam_role" "role" { 352 name = "tf_test_role_%s" 353 path = "/" 354 assume_role_policy = <<EOF 355 { 356 "Version": "2012-10-17", 357 "Statement": [ 358 { 359 "Action": "sts:AssumeRole", 360 "Principal": { 361 "Service": "ec2.amazonaws.com" 362 }, 363 "Effect": "Allow", 364 "Sid": "" 365 } 366 ] 367 } 368 EOF 369 } 370 371 resource "aws_iam_role_policy" "foo" { 372 name = "tf_test_policy_%s" 373 role = "${aws_iam_role.role.name}" 374 policy = <<EOF 375 { 376 "Version": "2012-10-17", 377 "Statement": { 378 "Effect": "Allow", 379 "Action": "*", 380 "Resource": "*" 381 } 382 } 383 EOF 384 } 385 `, role, role) 386 }