github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_config_config_rule_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "regexp" 6 "testing" 7 8 "github.com/aws/aws-sdk-go/aws" 9 "github.com/aws/aws-sdk-go/service/configservice" 10 "github.com/hashicorp/terraform/helper/acctest" 11 "github.com/hashicorp/terraform/helper/resource" 12 "github.com/hashicorp/terraform/terraform" 13 ) 14 15 func testAccConfigConfigRule_basic(t *testing.T) { 16 var cr configservice.ConfigRule 17 rInt := acctest.RandInt() 18 expectedName := fmt.Sprintf("tf-acc-test-%d", rInt) 19 20 resource.Test(t, resource.TestCase{ 21 PreCheck: func() { testAccPreCheck(t) }, 22 Providers: testAccProviders, 23 CheckDestroy: testAccCheckConfigConfigRuleDestroy, 24 Steps: []resource.TestStep{ 25 { 26 Config: testAccConfigConfigRuleConfig_basic(rInt), 27 Check: resource.ComposeTestCheckFunc( 28 testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr), 29 testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr), 30 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName), 31 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"), 32 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "AWS"), 33 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", "S3_BUCKET_VERSIONING_ENABLED"), 34 ), 35 }, 36 }, 37 }) 38 } 39 40 func testAccConfigConfigRule_ownerAws(t *testing.T) { 41 var cr configservice.ConfigRule 42 rInt := acctest.RandInt() 43 expectedName := fmt.Sprintf("tf-acc-test-%d", rInt) 44 expectedArn := regexp.MustCompile("arn:aws:config:[a-z0-9-]+:[0-9]{12}:config-rule/config-rule-([a-z0-9]+)") 45 expectedRuleId := regexp.MustCompile("config-rule-[a-z0-9]+") 46 47 resource.Test(t, resource.TestCase{ 48 PreCheck: func() { testAccPreCheck(t) }, 49 Providers: testAccProviders, 50 CheckDestroy: testAccCheckConfigConfigRuleDestroy, 51 Steps: []resource.TestStep{ 52 { 53 Config: testAccConfigConfigRuleConfig_ownerAws(rInt), 54 Check: resource.ComposeTestCheckFunc( 55 testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr), 56 testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr), 57 resource.TestMatchResourceAttr("aws_config_config_rule.foo", "arn", expectedArn), 58 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName), 59 resource.TestMatchResourceAttr("aws_config_config_rule.foo", "rule_id", expectedRuleId), 60 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "description", "Terraform Acceptance tests"), 61 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"), 62 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "AWS"), 63 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", "REQUIRED_TAGS"), 64 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.#", "0"), 65 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.#", "1"), 66 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_id", "blablah"), 67 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_types.#", "1"), 68 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.compliance_resource_types.3865728585", "AWS::EC2::Instance"), 69 ), 70 }, 71 }, 72 }) 73 } 74 75 func testAccConfigConfigRule_customlambda(t *testing.T) { 76 var cr configservice.ConfigRule 77 rInt := acctest.RandInt() 78 79 expectedName := fmt.Sprintf("tf-acc-test-%d", rInt) 80 path := "test-fixtures/lambdatest.zip" 81 expectedArn := regexp.MustCompile("arn:aws:config:[a-z0-9-]+:[0-9]{12}:config-rule/config-rule-([a-z0-9]+)") 82 expectedFunctionArn := regexp.MustCompile(fmt.Sprintf("arn:aws:lambda:[a-z0-9-]+:[0-9]{12}:function:tf_acc_lambda_awsconfig_%d", rInt)) 83 expectedRuleId := regexp.MustCompile("config-rule-[a-z0-9]+") 84 85 resource.Test(t, resource.TestCase{ 86 PreCheck: func() { testAccPreCheck(t) }, 87 Providers: testAccProviders, 88 CheckDestroy: testAccCheckConfigConfigRuleDestroy, 89 Steps: []resource.TestStep{ 90 { 91 Config: testAccConfigConfigRuleConfig_customLambda(rInt, path), 92 Check: resource.ComposeTestCheckFunc( 93 testAccCheckConfigConfigRuleExists("aws_config_config_rule.foo", &cr), 94 testAccCheckConfigConfigRuleName("aws_config_config_rule.foo", expectedName, &cr), 95 resource.TestMatchResourceAttr("aws_config_config_rule.foo", "arn", expectedArn), 96 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "name", expectedName), 97 resource.TestMatchResourceAttr("aws_config_config_rule.foo", "rule_id", expectedRuleId), 98 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "description", "Terraform Acceptance tests"), 99 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "maximum_execution_frequency", "Six_Hours"), 100 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.#", "1"), 101 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.owner", "CUSTOM_LAMBDA"), 102 resource.TestMatchResourceAttr("aws_config_config_rule.foo", "source.0.source_identifier", expectedFunctionArn), 103 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.#", "1"), 104 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.event_source", "aws.config"), 105 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.message_type", "ConfigurationSnapshotDeliveryCompleted"), 106 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "source.0.source_detail.3026922761.maximum_execution_frequency", ""), 107 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.#", "1"), 108 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.tag_key", "IsTemporary"), 109 resource.TestCheckResourceAttr("aws_config_config_rule.foo", "scope.0.tag_value", "yes"), 110 ), 111 }, 112 }, 113 }) 114 } 115 116 func testAccConfigConfigRule_importAws(t *testing.T) { 117 resourceName := "aws_config_config_rule.foo" 118 rInt := acctest.RandInt() 119 120 resource.Test(t, resource.TestCase{ 121 PreCheck: func() { testAccPreCheck(t) }, 122 Providers: testAccProviders, 123 CheckDestroy: testAccCheckConfigConfigRuleDestroy, 124 Steps: []resource.TestStep{ 125 resource.TestStep{ 126 Config: testAccConfigConfigRuleConfig_ownerAws(rInt), 127 }, 128 129 resource.TestStep{ 130 ResourceName: resourceName, 131 ImportState: true, 132 ImportStateVerify: true, 133 }, 134 }, 135 }) 136 } 137 138 func testAccConfigConfigRule_importLambda(t *testing.T) { 139 resourceName := "aws_config_config_rule.foo" 140 rInt := acctest.RandInt() 141 142 path := "test-fixtures/lambdatest.zip" 143 144 resource.Test(t, resource.TestCase{ 145 PreCheck: func() { testAccPreCheck(t) }, 146 Providers: testAccProviders, 147 CheckDestroy: testAccCheckConfigConfigRuleDestroy, 148 Steps: []resource.TestStep{ 149 resource.TestStep{ 150 Config: testAccConfigConfigRuleConfig_customLambda(rInt, path), 151 }, 152 153 resource.TestStep{ 154 ResourceName: resourceName, 155 ImportState: true, 156 ImportStateVerify: true, 157 }, 158 }, 159 }) 160 } 161 162 func testAccCheckConfigConfigRuleName(n, desired string, obj *configservice.ConfigRule) resource.TestCheckFunc { 163 return func(s *terraform.State) error { 164 rs, ok := s.RootModule().Resources[n] 165 if !ok { 166 return fmt.Errorf("Not found: %s", n) 167 } 168 if rs.Primary.Attributes["name"] != *obj.ConfigRuleName { 169 return fmt.Errorf("Expected name: %q, given: %q", desired, *obj.ConfigRuleName) 170 } 171 return nil 172 } 173 } 174 175 func testAccCheckConfigConfigRuleExists(n string, obj *configservice.ConfigRule) resource.TestCheckFunc { 176 return func(s *terraform.State) error { 177 rs, ok := s.RootModule().Resources[n] 178 if !ok { 179 return fmt.Errorf("Not Found: %s", n) 180 } 181 182 if rs.Primary.ID == "" { 183 return fmt.Errorf("No config rule ID is set") 184 } 185 186 conn := testAccProvider.Meta().(*AWSClient).configconn 187 out, err := conn.DescribeConfigRules(&configservice.DescribeConfigRulesInput{ 188 ConfigRuleNames: []*string{aws.String(rs.Primary.Attributes["name"])}, 189 }) 190 if err != nil { 191 return fmt.Errorf("Failed to describe config rule: %s", err) 192 } 193 if len(out.ConfigRules) < 1 { 194 return fmt.Errorf("No config rule found when describing %q", rs.Primary.Attributes["name"]) 195 } 196 197 cr := out.ConfigRules[0] 198 *obj = *cr 199 200 return nil 201 } 202 } 203 204 func testAccCheckConfigConfigRuleDestroy(s *terraform.State) error { 205 conn := testAccProvider.Meta().(*AWSClient).configconn 206 207 for _, rs := range s.RootModule().Resources { 208 if rs.Type != "aws_config_config_rule" { 209 continue 210 } 211 212 resp, err := conn.DescribeConfigRules(&configservice.DescribeConfigRulesInput{ 213 ConfigRuleNames: []*string{aws.String(rs.Primary.Attributes["name"])}, 214 }) 215 216 if err == nil { 217 if len(resp.ConfigRules) != 0 && 218 *resp.ConfigRules[0].ConfigRuleName == rs.Primary.Attributes["name"] { 219 return fmt.Errorf("config rule still exists: %s", rs.Primary.Attributes["name"]) 220 } 221 } 222 } 223 224 return nil 225 } 226 227 func testAccConfigConfigRuleConfig_basic(randInt int) string { 228 return fmt.Sprintf(` 229 resource "aws_config_config_rule" "foo" { 230 name = "tf-acc-test-%d" 231 source { 232 owner = "AWS" 233 source_identifier = "S3_BUCKET_VERSIONING_ENABLED" 234 } 235 depends_on = ["aws_config_configuration_recorder.foo"] 236 } 237 238 resource "aws_config_configuration_recorder" "foo" { 239 name = "tf-acc-test-%d" 240 role_arn = "${aws_iam_role.r.arn}" 241 } 242 243 resource "aws_iam_role" "r" { 244 name = "tf-acc-test-awsconfig-%d" 245 assume_role_policy = <<EOF 246 { 247 "Version": "2012-10-17", 248 "Statement": [ 249 { 250 "Action": "sts:AssumeRole", 251 "Principal": { 252 "Service": "config.amazonaws.com" 253 }, 254 "Effect": "Allow", 255 "Sid": "" 256 } 257 ] 258 } 259 EOF 260 } 261 262 resource "aws_iam_role_policy" "p" { 263 name = "tf-acc-test-awsconfig-%d" 264 role = "${aws_iam_role.r.id}" 265 policy = <<EOF 266 { 267 "Version": "2012-10-17", 268 "Statement": [ 269 { 270 "Action": "config:Put*", 271 "Effect": "Allow", 272 "Resource": "*" 273 274 } 275 ] 276 } 277 EOF 278 }`, randInt, randInt, randInt, randInt) 279 } 280 281 func testAccConfigConfigRuleConfig_ownerAws(randInt int) string { 282 return fmt.Sprintf(` 283 resource "aws_config_config_rule" "foo" { 284 name = "tf-acc-test-%d" 285 description = "Terraform Acceptance tests" 286 source { 287 owner = "AWS" 288 source_identifier = "REQUIRED_TAGS" 289 } 290 scope { 291 compliance_resource_id = "blablah" 292 compliance_resource_types = ["AWS::EC2::Instance"] 293 } 294 input_parameters = <<PARAMS 295 {"tag1Key":"CostCenter", "tag2Key":"Owner"} 296 PARAMS 297 depends_on = ["aws_config_configuration_recorder.foo"] 298 } 299 300 resource "aws_config_configuration_recorder" "foo" { 301 name = "tf-acc-test-%d" 302 role_arn = "${aws_iam_role.r.arn}" 303 } 304 305 resource "aws_iam_role" "r" { 306 name = "tf-acc-test-awsconfig-%d" 307 assume_role_policy = <<EOF 308 { 309 "Version": "2012-10-17", 310 "Statement": [ 311 { 312 "Action": "sts:AssumeRole", 313 "Principal": { 314 "Service": "config.amazonaws.com" 315 }, 316 "Effect": "Allow", 317 "Sid": "" 318 } 319 ] 320 } 321 EOF 322 } 323 324 resource "aws_iam_role_policy" "p" { 325 name = "tf-acc-test-awsconfig-%d" 326 role = "${aws_iam_role.r.id}" 327 policy = <<EOF 328 { 329 "Version": "2012-10-17", 330 "Statement": [ 331 { 332 "Action": "config:Put*", 333 "Effect": "Allow", 334 "Resource": "*" 335 336 } 337 ] 338 } 339 EOF 340 }`, randInt, randInt, randInt, randInt) 341 } 342 343 func testAccConfigConfigRuleConfig_customLambda(randInt int, path string) string { 344 return fmt.Sprintf(` 345 resource "aws_config_config_rule" "foo" { 346 name = "tf-acc-test-%d" 347 description = "Terraform Acceptance tests" 348 maximum_execution_frequency = "Six_Hours" 349 source { 350 owner = "CUSTOM_LAMBDA" 351 source_identifier = "${aws_lambda_function.f.arn}" 352 source_detail { 353 event_source = "aws.config" 354 message_type = "ConfigurationSnapshotDeliveryCompleted" 355 } 356 } 357 scope { 358 tag_key = "IsTemporary" 359 tag_value = "yes" 360 } 361 depends_on = [ 362 "aws_config_configuration_recorder.foo", 363 "aws_config_delivery_channel.foo", 364 ] 365 } 366 367 resource "aws_lambda_function" "f" { 368 filename = "%s" 369 function_name = "tf_acc_lambda_awsconfig_%d" 370 role = "${aws_iam_role.iam_for_lambda.arn}" 371 handler = "exports.example" 372 runtime = "nodejs4.3" 373 } 374 375 resource "aws_lambda_permission" "p" { 376 statement_id = "AllowExecutionFromConfig" 377 action = "lambda:InvokeFunction" 378 function_name = "${aws_lambda_function.f.arn}" 379 principal = "config.amazonaws.com" 380 } 381 382 resource "aws_iam_role" "iam_for_lambda" { 383 name = "tf_acc_lambda_aws_config_%d" 384 assume_role_policy = <<POLICY 385 { 386 "Version": "2012-10-17", 387 "Statement": [ 388 { 389 "Action": "sts:AssumeRole", 390 "Principal": { 391 "Service": "lambda.amazonaws.com" 392 }, 393 "Effect": "Allow", 394 "Sid": "" 395 } 396 ] 397 } 398 POLICY 399 } 400 401 resource "aws_iam_role_policy_attachment" "a" { 402 role = "${aws_iam_role.iam_for_lambda.name}" 403 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole" 404 } 405 406 resource "aws_config_delivery_channel" "foo" { 407 name = "tf-acc-test-%d" 408 s3_bucket_name = "${aws_s3_bucket.b.bucket}" 409 snapshot_delivery_properties { 410 delivery_frequency = "Six_Hours" 411 } 412 depends_on = ["aws_config_configuration_recorder.foo"] 413 } 414 415 resource "aws_s3_bucket" "b" { 416 bucket = "tf-acc-awsconfig-%d" 417 force_destroy = true 418 } 419 420 resource "aws_config_configuration_recorder" "foo" { 421 name = "tf-acc-test-%d" 422 role_arn = "${aws_iam_role.r.arn}" 423 } 424 425 resource "aws_iam_role" "r" { 426 name = "tf-acc-test-awsconfig-%d" 427 assume_role_policy = <<POLICY 428 { 429 "Version": "2012-10-17", 430 "Statement": [ 431 { 432 "Action": "sts:AssumeRole", 433 "Principal": { 434 "Service": "config.amazonaws.com" 435 }, 436 "Effect": "Allow", 437 "Sid": "" 438 } 439 ] 440 } 441 POLICY 442 } 443 444 resource "aws_iam_role_policy" "p" { 445 name = "tf-acc-test-awsconfig-%d" 446 role = "${aws_iam_role.r.id}" 447 policy = <<POLICY 448 { 449 "Version": "2012-10-17", 450 "Statement": [ 451 { 452 "Action": "config:Put*", 453 "Effect": "Allow", 454 "Resource": "*" 455 }, 456 { 457 "Action": "s3:*", 458 "Effect": "Allow", 459 "Resource": [ 460 "${aws_s3_bucket.b.arn}", 461 "${aws_s3_bucket.b.arn}/*" 462 ] 463 }, 464 { 465 "Action": "lambda:*", 466 "Effect": "Allow", 467 "Resource": "${aws_lambda_function.f.arn}" 468 } 469 ] 470 } 471 POLICY 472 }`, randInt, path, randInt, randInt, randInt, randInt, randInt, randInt, randInt) 473 }