github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_config_config_rule_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"regexp"
     6  	"testing"
     7  
     8  	"github.com/aws/aws-sdk-go/aws"
     9  	"github.com/aws/aws-sdk-go/service/configservice"
    10  	"github.com/hashicorp/terraform/helper/acctest"
    11  	"github.com/hashicorp/terraform/helper/resource"
    12  	"github.com/hashicorp/terraform/terraform"
    13  )
    14  
    15  func testAccConfigConfigRule_basic(t *testing.T) {
    16  	var cr configservice.ConfigRule
    17  	rInt := acctest.RandInt()
    18  	expectedName := fmt.Sprintf("tf-acc-test-%d", rInt)
    19  
    20  	resource.Test(t, resource.TestCase{
    21  		PreCheck:     func() { testAccPreCheck(t) },
    22  		Providers:    testAccProviders,
    23  		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
    24  		Steps: []resource.TestStep{
    25  			{
    26  				Config: testAccConfigConfigRuleConfig_basic(rInt),
    27  				Check: resource.ComposeTestCheckFunc(
    28  					testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr),
    29  					testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr),
    30  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName),
    31  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"),
    32  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "AWS"),
    33  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", "S3_BUCKET_VERSIONING_ENABLED"),
    34  				),
    35  			},
    36  		},
    37  	})
    38  }
    39  
    40  func testAccConfigConfigRule_ownerAws(t *testing.T) {
    41  	var cr configservice.ConfigRule
    42  	rInt := acctest.RandInt()
    43  	expectedName := fmt.Sprintf("tf-acc-test-%d", rInt)
    44  	expectedArn := regexp.MustCompile("arn:aws:config:[a-z0-9-]+:[0-9]{12}:config-rule/config-rule-([a-z0-9]+)")
    45  	expectedRuleId := regexp.MustCompile("config-rule-[a-z0-9]+")
    46  
    47  	resource.Test(t, resource.TestCase{
    48  		PreCheck:     func() { testAccPreCheck(t) },
    49  		Providers:    testAccProviders,
    50  		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
    51  		Steps: []resource.TestStep{
    52  			{
    53  				Config: testAccConfigConfigRuleConfig_ownerAws(rInt),
    54  				Check: resource.ComposeTestCheckFunc(
    55  					testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr),
    56  					testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr),
    57  					resource.TestMatchResourceAttr("aws_config_config_rule.foo", "arn", expectedArn),
    58  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName),
    59  					resource.TestMatchResourceAttr("aws_config_config_rule.foo", "rule_id", expectedRuleId),
    60  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "description", "Terraform Acceptance tests"),
    61  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"),
    62  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "AWS"),
    63  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", "REQUIRED_TAGS"),
    64  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.#", "0"),
    65  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.#", "1"),
    66  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_id", "blablah"),
    67  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_types.#", "1"),
    68  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_types.3865728585", "AWS::EC2::Instance"),
    69  				),
    70  			},
    71  		},
    72  	})
    73  }
    74  
    75  func testAccConfigConfigRule_customlambda(t *testing.T) {
    76  	var cr configservice.ConfigRule
    77  	rInt := acctest.RandInt()
    78  
    79  	expectedName := fmt.Sprintf("tf-acc-test-%d", rInt)
    80  	path := "test-fixtures/lambdatest.zip"
    81  	expectedArn := regexp.MustCompile("arn:aws:config:[a-z0-9-]+:[0-9]{12}:config-rule/config-rule-([a-z0-9]+)")
    82  	expectedFunctionArn := regexp.MustCompile(fmt.Sprintf("arn:aws:lambda:[a-z0-9-]+:[0-9]{12}:function:tf_acc_lambda_awsconfig_%d", rInt))
    83  	expectedRuleId := regexp.MustCompile("config-rule-[a-z0-9]+")
    84  
    85  	resource.Test(t, resource.TestCase{
    86  		PreCheck:     func() { testAccPreCheck(t) },
    87  		Providers:    testAccProviders,
    88  		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
    89  		Steps: []resource.TestStep{
    90  			{
    91  				Config: testAccConfigConfigRuleConfig_customLambda(rInt, path),
    92  				Check: resource.ComposeTestCheckFunc(
    93  					testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr),
    94  					testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr),
    95  					resource.TestMatchResourceAttr("aws_config_config_rule.foo", "arn", expectedArn),
    96  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName),
    97  					resource.TestMatchResourceAttr("aws_config_config_rule.foo", "rule_id", expectedRuleId),
    98  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "description", "Terraform Acceptance tests"),
    99  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "maximum_execution_frequency", "Six_Hours"),
   100  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"),
   101  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "CUSTOM_LAMBDA"),
   102  					resource.TestMatchResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", expectedFunctionArn),
   103  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.#", "1"),
   104  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.event_source", "aws.config"),
   105  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.message_type", "ConfigurationSnapshotDeliveryCompleted"),
   106  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.maximum_execution_frequency", ""),
   107  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.#", "1"),
   108  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.tag_key", "IsTemporary"),
   109  					resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.tag_value", "yes"),
   110  				),
   111  			},
   112  		},
   113  	})
   114  }
   115  
   116  func testAccConfigConfigRule_importAws(t *testing.T) {
   117  	resourceName := "aws_config_config_rule.foo"
   118  	rInt := acctest.RandInt()
   119  
   120  	resource.Test(t, resource.TestCase{
   121  		PreCheck:     func() { testAccPreCheck(t) },
   122  		Providers:    testAccProviders,
   123  		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
   124  		Steps: []resource.TestStep{
   125  			resource.TestStep{
   126  				Config: testAccConfigConfigRuleConfig_ownerAws(rInt),
   127  			},
   128  
   129  			resource.TestStep{
   130  				ResourceName:      resourceName,
   131  				ImportState:       true,
   132  				ImportStateVerify: true,
   133  			},
   134  		},
   135  	})
   136  }
   137  
   138  func testAccConfigConfigRule_importLambda(t *testing.T) {
   139  	resourceName := "aws_config_config_rule.foo"
   140  	rInt := acctest.RandInt()
   141  
   142  	path := "test-fixtures/lambdatest.zip"
   143  
   144  	resource.Test(t, resource.TestCase{
   145  		PreCheck:     func() { testAccPreCheck(t) },
   146  		Providers:    testAccProviders,
   147  		CheckDestroy: testAccCheckConfigConfigRuleDestroy,
   148  		Steps: []resource.TestStep{
   149  			resource.TestStep{
   150  				Config: testAccConfigConfigRuleConfig_customLambda(rInt, path),
   151  			},
   152  
   153  			resource.TestStep{
   154  				ResourceName:      resourceName,
   155  				ImportState:       true,
   156  				ImportStateVerify: true,
   157  			},
   158  		},
   159  	})
   160  }
   161  
   162  func testAccCheckConfigConfigRuleName(n, desired string, obj *configservice.ConfigRule) resource.TestCheckFunc {
   163  	return func(s *terraform.State) error {
   164  		rs, ok := s.RootModule().Resources[n]
   165  		if !ok {
   166  			return fmt.Errorf("Not found: %s", n)
   167  		}
   168  		if rs.Primary.Attributes["name"] != *obj.ConfigRuleName {
   169  			return fmt.Errorf("Expected name: %q, given: %q", desired, *obj.ConfigRuleName)
   170  		}
   171  		return nil
   172  	}
   173  }
   174  
   175  func testAccCheckConfigConfigRuleExists(n string, obj *configservice.ConfigRule) resource.TestCheckFunc {
   176  	return func(s *terraform.State) error {
   177  		rs, ok := s.RootModule().Resources[n]
   178  		if !ok {
   179  			return fmt.Errorf("Not Found: %s", n)
   180  		}
   181  
   182  		if rs.Primary.ID == "" {
   183  			return fmt.Errorf("No config rule ID is set")
   184  		}
   185  
   186  		conn := testAccProvider.Meta().(*AWSClient).configconn
   187  		out, err := conn.DescribeConfigRules(&configservice.DescribeConfigRulesInput{
   188  			ConfigRuleNames: []*string{aws.String(rs.Primary.Attributes["name"])},
   189  		})
   190  		if err != nil {
   191  			return fmt.Errorf("Failed to describe config rule: %s", err)
   192  		}
   193  		if len(out.ConfigRules) < 1 {
   194  			return fmt.Errorf("No config rule found when describing %q", rs.Primary.Attributes["name"])
   195  		}
   196  
   197  		cr := out.ConfigRules[0]
   198  		*obj = *cr
   199  
   200  		return nil
   201  	}
   202  }
   203  
   204  func testAccCheckConfigConfigRuleDestroy(s *terraform.State) error {
   205  	conn := testAccProvider.Meta().(*AWSClient).configconn
   206  
   207  	for _, rs := range s.RootModule().Resources {
   208  		if rs.Type != "aws_config_config_rule" {
   209  			continue
   210  		}
   211  
   212  		resp, err := conn.DescribeConfigRules(&configservice.DescribeConfigRulesInput{
   213  			ConfigRuleNames: []*string{aws.String(rs.Primary.Attributes["name"])},
   214  		})
   215  
   216  		if err == nil {
   217  			if len(resp.ConfigRules) != 0 &&
   218  				*resp.ConfigRules[0].ConfigRuleName == rs.Primary.Attributes["name"] {
   219  				return fmt.Errorf("config rule still exists: %s", rs.Primary.Attributes["name"])
   220  			}
   221  		}
   222  	}
   223  
   224  	return nil
   225  }
   226  
   227  func testAccConfigConfigRuleConfig_basic(randInt int) string {
   228  	return fmt.Sprintf(`
   229  resource "aws_config_config_rule" "foo" {
   230      name = "tf-acc-test-%d"
   231      source {
   232          owner = "AWS"
   233          source_identifier = "S3_BUCKET_VERSIONING_ENABLED"
   234      }
   235      depends_on = ["aws_config_configuration_recorder.foo"]
   236  }
   237  
   238  resource "aws_config_configuration_recorder" "foo" {
   239    name = "tf-acc-test-%d"
   240    role_arn = "${aws_iam_role.r.arn}"
   241  }
   242  
   243  resource "aws_iam_role" "r" {
   244      name = "tf-acc-test-awsconfig-%d"
   245      assume_role_policy = <<EOF
   246  {
   247    "Version": "2012-10-17",
   248    "Statement": [
   249      {
   250        "Action": "sts:AssumeRole",
   251        "Principal": {
   252          "Service": "config.amazonaws.com"
   253        },
   254        "Effect": "Allow",
   255        "Sid": ""
   256      }
   257    ]
   258  }
   259  EOF
   260  }
   261  
   262  resource "aws_iam_role_policy" "p" {
   263      name = "tf-acc-test-awsconfig-%d"
   264      role = "${aws_iam_role.r.id}"
   265      policy = <<EOF
   266  {
   267    "Version": "2012-10-17",
   268    "Statement": [
   269      {
   270          "Action": "config:Put*",
   271          "Effect": "Allow",
   272          "Resource": "*"
   273  
   274      }
   275    ]
   276  }
   277  EOF
   278  }`, randInt, randInt, randInt, randInt)
   279  }
   280  
   281  func testAccConfigConfigRuleConfig_ownerAws(randInt int) string {
   282  	return fmt.Sprintf(`
   283  resource "aws_config_config_rule" "foo" {
   284      name = "tf-acc-test-%d"
   285      description = "Terraform Acceptance tests"
   286      source {
   287          owner = "AWS"
   288          source_identifier = "REQUIRED_TAGS"
   289      }
   290      scope {
   291      	compliance_resource_id = "blablah"
   292      	compliance_resource_types = ["AWS::EC2::Instance"]
   293      }
   294      input_parameters = <<PARAMS
   295  {"tag1Key":"CostCenter", "tag2Key":"Owner"}
   296  PARAMS
   297      depends_on = ["aws_config_configuration_recorder.foo"]
   298  }
   299  
   300  resource "aws_config_configuration_recorder" "foo" {
   301    name = "tf-acc-test-%d"
   302    role_arn = "${aws_iam_role.r.arn}"
   303  }
   304  
   305  resource "aws_iam_role" "r" {
   306      name = "tf-acc-test-awsconfig-%d"
   307      assume_role_policy = <<EOF
   308  {
   309    "Version": "2012-10-17",
   310    "Statement": [
   311      {
   312        "Action": "sts:AssumeRole",
   313        "Principal": {
   314          "Service": "config.amazonaws.com"
   315        },
   316        "Effect": "Allow",
   317        "Sid": ""
   318      }
   319    ]
   320  }
   321  EOF
   322  }
   323  
   324  resource "aws_iam_role_policy" "p" {
   325      name = "tf-acc-test-awsconfig-%d"
   326      role = "${aws_iam_role.r.id}"
   327      policy = <<EOF
   328  {
   329    "Version": "2012-10-17",
   330    "Statement": [
   331      {
   332          "Action": "config:Put*",
   333          "Effect": "Allow",
   334          "Resource": "*"
   335  
   336      }
   337    ]
   338  }
   339  EOF
   340  }`, randInt, randInt, randInt, randInt)
   341  }
   342  
   343  func testAccConfigConfigRuleConfig_customLambda(randInt int, path string) string {
   344  	return fmt.Sprintf(`
   345  resource "aws_config_config_rule" "foo" {
   346    name = "tf-acc-test-%d"
   347    description = "Terraform Acceptance tests"
   348    maximum_execution_frequency = "Six_Hours"
   349    source {
   350        owner = "CUSTOM_LAMBDA"
   351        source_identifier = "${aws_lambda_function.f.arn}"
   352        source_detail {
   353          event_source = "aws.config"
   354          message_type = "ConfigurationSnapshotDeliveryCompleted"
   355        }
   356    }
   357    scope {
   358      tag_key = "IsTemporary"
   359      tag_value = "yes"
   360    }
   361    depends_on = [
   362      "aws_config_configuration_recorder.foo",
   363      "aws_config_delivery_channel.foo",
   364    ]
   365  }
   366  
   367  resource "aws_lambda_function" "f" {
   368    filename = "%s"
   369    function_name = "tf_acc_lambda_awsconfig_%d"
   370    role = "${aws_iam_role.iam_for_lambda.arn}"
   371    handler = "exports.example"
   372    runtime = "nodejs4.3"
   373  }
   374  
   375  resource "aws_lambda_permission" "p" {
   376    statement_id = "AllowExecutionFromConfig"
   377    action = "lambda:InvokeFunction"
   378    function_name = "${aws_lambda_function.f.arn}"
   379    principal = "config.amazonaws.com"
   380  }
   381  
   382  resource "aws_iam_role" "iam_for_lambda" {
   383    name = "tf_acc_lambda_aws_config_%d"
   384    assume_role_policy = <<POLICY
   385  {
   386    "Version": "2012-10-17",
   387    "Statement": [
   388      {
   389        "Action": "sts:AssumeRole",
   390        "Principal": {
   391          "Service": "lambda.amazonaws.com"
   392        },
   393        "Effect": "Allow",
   394        "Sid": ""
   395      }
   396    ]
   397  }
   398  POLICY
   399  }
   400  
   401  resource "aws_iam_role_policy_attachment" "a" {
   402    role = "${aws_iam_role.iam_for_lambda.name}"
   403    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole"
   404  }
   405  
   406  resource "aws_config_delivery_channel" "foo" {
   407    name = "tf-acc-test-%d"
   408    s3_bucket_name = "${aws_s3_bucket.b.bucket}"
   409    snapshot_delivery_properties {
   410      delivery_frequency = "Six_Hours"
   411    }
   412    depends_on = ["aws_config_configuration_recorder.foo"]
   413  }
   414  
   415  resource "aws_s3_bucket" "b" {
   416    bucket = "tf-acc-awsconfig-%d"
   417    force_destroy = true
   418  }
   419  
   420  resource "aws_config_configuration_recorder" "foo" {
   421    name = "tf-acc-test-%d"
   422    role_arn = "${aws_iam_role.r.arn}"
   423  }
   424  
   425  resource "aws_iam_role" "r" {
   426    name = "tf-acc-test-awsconfig-%d"
   427    assume_role_policy = <<POLICY
   428  {
   429    "Version": "2012-10-17",
   430    "Statement": [
   431      {
   432        "Action": "sts:AssumeRole",
   433        "Principal": {
   434          "Service": "config.amazonaws.com"
   435        },
   436        "Effect": "Allow",
   437        "Sid": ""
   438      }
   439    ]
   440  }
   441  POLICY
   442  }
   443  
   444  resource "aws_iam_role_policy" "p" {
   445    name = "tf-acc-test-awsconfig-%d"
   446    role = "${aws_iam_role.r.id}"
   447    policy = <<POLICY
   448  {
   449    "Version": "2012-10-17",
   450    "Statement": [
   451      {
   452        "Action": "config:Put*",
   453        "Effect": "Allow",
   454        "Resource": "*"
   455      },
   456      {
   457        "Action": "s3:*",
   458        "Effect": "Allow",
   459        "Resource": [
   460          "${aws_s3_bucket.b.arn}",
   461          "${aws_s3_bucket.b.arn}/*"
   462        ]
   463      },
   464      {
   465        "Action": "lambda:*",
   466        "Effect": "Allow",
   467        "Resource": "${aws_lambda_function.f.arn}"
   468      }
   469    ]
   470  }
   471  POLICY
   472  }`, randInt, path, randInt, randInt, randInt, randInt, randInt, randInt, randInt)
   473  }