github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/data_source_aws_iam_policy_document_test.go (about) 1 package aws 2 3 import ( 4 "testing" 5 6 "fmt" 7 "github.com/hashicorp/terraform/helper/resource" 8 "github.com/hashicorp/terraform/terraform" 9 ) 10 11 func TestAccAWSIAMPolicyDocument(t *testing.T) { 12 // This really ought to be able to be a unit test rather than an 13 // acceptance test, but just instantiating the AWS provider requires 14 // some AWS API calls, and so this needs valid AWS credentials to work. 15 resource.Test(t, resource.TestCase{ 16 PreCheck: func() { testAccPreCheck(t) }, 17 Providers: testAccProviders, 18 Steps: []resource.TestStep{ 19 { 20 Config: testAccAWSIAMPolicyDocumentConfig, 21 Check: resource.ComposeTestCheckFunc( 22 testAccCheckStateValue( 23 "data.aws_iam_policy_document.test", 24 "json", 25 testAccAWSIAMPolicyDocumentExpectedJSON, 26 ), 27 ), 28 }, 29 }, 30 }) 31 } 32 33 func testAccCheckStateValue(id, name, value string) resource.TestCheckFunc { 34 return func(s *terraform.State) error { 35 rs, ok := s.RootModule().Resources[id] 36 if !ok { 37 return fmt.Errorf("Not found: %s", id) 38 } 39 if rs.Primary.ID == "" { 40 return fmt.Errorf("No ID is set") 41 } 42 43 v := rs.Primary.Attributes[name] 44 if v != value { 45 return fmt.Errorf( 46 "Value for %s is %s, not %s", name, v, value) 47 } 48 49 return nil 50 } 51 } 52 53 var testAccAWSIAMPolicyDocumentConfig = ` 54 data "aws_iam_policy_document" "test" { 55 policy_id = "policy_id" 56 statement { 57 sid = "1" 58 actions = [ 59 "s3:ListAllMyBuckets", 60 "s3:GetBucketLocation", 61 ] 62 resources = [ 63 "arn:aws:s3:::*", 64 ] 65 } 66 67 statement { 68 actions = [ 69 "s3:ListBucket", 70 ] 71 resources = [ 72 "arn:aws:s3:::foo", 73 ] 74 condition { 75 test = "StringLike" 76 variable = "s3:prefix" 77 values = [ 78 "home/", 79 "home/&{aws:username}/", 80 ] 81 } 82 83 not_principals { 84 type = "AWS" 85 identifiers = ["arn:blahblah:example"] 86 } 87 } 88 89 statement { 90 actions = [ 91 "s3:*", 92 ] 93 resources = [ 94 "arn:aws:s3:::foo/home/&{aws:username}", 95 "arn:aws:s3:::foo/home/&{aws:username}/*", 96 ] 97 principals { 98 type = "AWS" 99 identifiers = ["arn:blahblah:example"] 100 } 101 } 102 103 statement { 104 effect = "Deny" 105 not_actions = ["s3:*"] 106 not_resources = ["arn:aws:s3:::*"] 107 } 108 109 # Normalization of wildcard principals 110 statement { 111 effect = "Allow" 112 actions = ["kinesis:*"] 113 principals { 114 type = "AWS" 115 identifiers = ["*"] 116 } 117 } 118 statement { 119 effect = "Allow" 120 actions = ["firehose:*"] 121 principals { 122 type = "*" 123 identifiers = ["*"] 124 } 125 } 126 127 } 128 ` 129 130 var testAccAWSIAMPolicyDocumentExpectedJSON = `{ 131 "Version": "2012-10-17", 132 "Id": "policy_id", 133 "Statement": [ 134 { 135 "Sid": "1", 136 "Effect": "Allow", 137 "Action": [ 138 "s3:ListAllMyBuckets", 139 "s3:GetBucketLocation" 140 ], 141 "Resource": "arn:aws:s3:::*" 142 }, 143 { 144 "Sid": "", 145 "Effect": "Allow", 146 "Action": "s3:ListBucket", 147 "Resource": "arn:aws:s3:::foo", 148 "NotPrincipal": { 149 "AWS": "arn:blahblah:example" 150 }, 151 "Condition": { 152 "StringLike": { 153 "s3:prefix": [ 154 "home/${aws:username}/", 155 "home/" 156 ] 157 } 158 } 159 }, 160 { 161 "Sid": "", 162 "Effect": "Allow", 163 "Action": "s3:*", 164 "Resource": [ 165 "arn:aws:s3:::foo/home/${aws:username}/*", 166 "arn:aws:s3:::foo/home/${aws:username}" 167 ], 168 "Principal": { 169 "AWS": "arn:blahblah:example" 170 } 171 }, 172 { 173 "Sid": "", 174 "Effect": "Deny", 175 "NotAction": "s3:*", 176 "NotResource": "arn:aws:s3:::*" 177 }, 178 { 179 "Sid": "", 180 "Effect": "Allow", 181 "Action": "kinesis:*", 182 "Principal": "*" 183 }, 184 { 185 "Sid": "", 186 "Effect": "Allow", 187 "Action": "firehose:*", 188 "Principal": "*" 189 } 190 ] 191 }`