github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/builtin/providers/aws/resource_aws_iam_policy_attachment_test.go (about) 1 package aws 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/aws/aws-sdk-go/aws" 8 "github.com/aws/aws-sdk-go/service/iam" 9 "github.com/hashicorp/terraform/helper/acctest" 10 "github.com/hashicorp/terraform/helper/resource" 11 "github.com/hashicorp/terraform/terraform" 12 ) 13 14 func TestAccAWSPolicyAttachment_basic(t *testing.T) { 15 var out iam.ListEntitiesForPolicyOutput 16 17 user1 := fmt.Sprintf("test-user-%d", acctest.RandInt()) 18 user2 := fmt.Sprintf("test-user-%d", acctest.RandInt()) 19 user3 := fmt.Sprintf("test-user-%d", acctest.RandInt()) 20 21 resource.Test(t, resource.TestCase{ 22 PreCheck: func() { testAccPreCheck(t) }, 23 Providers: testAccProviders, 24 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 25 Steps: []resource.TestStep{ 26 resource.TestStep{ 27 Config: testAccAWSPolicyAttachConfig(user1), 28 Check: resource.ComposeTestCheckFunc( 29 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 3, &out), 30 testAccCheckAWSPolicyAttachmentAttributes([]string{user1}, []string{"test-role"}, []string{"test-group"}, &out), 31 ), 32 }, 33 resource.TestStep{ 34 Config: testAccAWSPolicyAttachConfigUpdate(user1, user2, user3), 35 Check: resource.ComposeTestCheckFunc( 36 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-attach", 6, &out), 37 testAccCheckAWSPolicyAttachmentAttributes([]string{user3, user3}, []string{"test-role2", "test-role3"}, []string{"test-group2", "test-group3"}, &out), 38 ), 39 }, 40 }, 41 }) 42 } 43 44 func TestAccAWSPolicyAttachment_paginatedEntities(t *testing.T) { 45 var out iam.ListEntitiesForPolicyOutput 46 rInt := acctest.RandInt() 47 48 resource.Test(t, resource.TestCase{ 49 PreCheck: func() { testAccPreCheck(t) }, 50 Providers: testAccProviders, 51 CheckDestroy: testAccCheckAWSPolicyAttachmentDestroy, 52 Steps: []resource.TestStep{ 53 resource.TestStep{ 54 Config: testAccAWSPolicyPaginatedAttachConfig(rInt), 55 Check: resource.ComposeTestCheckFunc( 56 testAccCheckAWSPolicyAttachmentExists("aws_iam_policy_attachment.test-paginated-attach", 101, &out), 57 ), 58 }, 59 }, 60 }) 61 } 62 63 func testAccCheckAWSPolicyAttachmentDestroy(s *terraform.State) error { 64 return nil 65 } 66 67 func testAccCheckAWSPolicyAttachmentExists(n string, c int64, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 68 return func(s *terraform.State) error { 69 rs, ok := s.RootModule().Resources[n] 70 if !ok { 71 return fmt.Errorf("Not found: %s", n) 72 } 73 74 if rs.Primary.ID == "" { 75 return fmt.Errorf("No policy name is set") 76 } 77 78 conn := testAccProvider.Meta().(*AWSClient).iamconn 79 arn := rs.Primary.Attributes["policy_arn"] 80 81 resp, err := conn.GetPolicy(&iam.GetPolicyInput{ 82 PolicyArn: aws.String(arn), 83 }) 84 if err != nil { 85 return fmt.Errorf("Error: Policy (%s) not found", n) 86 } 87 if c != *resp.Policy.AttachmentCount { 88 return fmt.Errorf("Error: Policy (%s) has wrong number of entities attached on initial creation", n) 89 } 90 resp2, err := conn.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{ 91 PolicyArn: aws.String(arn), 92 }) 93 if err != nil { 94 return fmt.Errorf("Error: Failed to get entities for Policy (%s)", arn) 95 } 96 97 *out = *resp2 98 return nil 99 } 100 } 101 102 func testAccCheckAWSPolicyAttachmentAttributes(users []string, roles []string, groups []string, out *iam.ListEntitiesForPolicyOutput) resource.TestCheckFunc { 103 return func(s *terraform.State) error { 104 uc := len(users) 105 rc := len(roles) 106 gc := len(groups) 107 108 for _, u := range users { 109 for _, pu := range out.PolicyUsers { 110 if u == *pu.UserName { 111 uc-- 112 } 113 } 114 } 115 for _, r := range roles { 116 for _, pr := range out.PolicyRoles { 117 if r == *pr.RoleName { 118 rc-- 119 } 120 } 121 } 122 for _, g := range groups { 123 for _, pg := range out.PolicyGroups { 124 if g == *pg.GroupName { 125 gc-- 126 } 127 } 128 } 129 if uc != 0 || rc != 0 || gc != 0 { 130 return fmt.Errorf("Error: Number of attached users, roles, or groups was incorrect:\n expected %d users and found %d\nexpected %d roles and found %d\nexpected %d groups and found %d", len(users), len(users)-uc, len(roles), len(roles)-rc, len(groups), len(groups)-gc) 131 } 132 return nil 133 } 134 } 135 136 func testAccAWSPolicyAttachConfig(u1 string) string { 137 return fmt.Sprintf(` 138 resource "aws_iam_user" "user" { 139 name = "%s" 140 } 141 resource "aws_iam_role" "role" { 142 name = "test-role" 143 assume_role_policy = <<EOF 144 { 145 "Version": "2012-10-17", 146 "Statement": [ 147 { 148 "Action": "sts:AssumeRole", 149 "Principal": { 150 "Service": "ec2.amazonaws.com" 151 }, 152 "Effect": "Allow", 153 "Sid": "" 154 } 155 ] 156 } 157 EOF 158 } 159 resource "aws_iam_group" "group" { 160 name = "test-group" 161 } 162 163 resource "aws_iam_policy" "policy" { 164 name = "test-policy" 165 description = "A test policy" 166 policy = <<EOF 167 { 168 "Version": "2012-10-17", 169 "Statement": [ 170 { 171 "Action": [ 172 "iam:ChangePassword" 173 ], 174 "Resource": "*", 175 "Effect": "Allow" 176 } 177 ] 178 } 179 EOF 180 } 181 182 resource "aws_iam_policy_attachment" "test-attach" { 183 name = "test-attachment" 184 users = ["${aws_iam_user.user.name}"] 185 roles = ["${aws_iam_role.role.name}"] 186 groups = ["${aws_iam_group.group.name}"] 187 policy_arn = "${aws_iam_policy.policy.arn}" 188 }`, u1) 189 } 190 191 func testAccAWSPolicyAttachConfigUpdate(u1, u2, u3 string) string { 192 return fmt.Sprintf(` 193 resource "aws_iam_user" "user" { 194 name = "%s" 195 } 196 resource "aws_iam_user" "user2" { 197 name = "%s" 198 } 199 resource "aws_iam_user" "user3" { 200 name = "%s" 201 } 202 resource "aws_iam_role" "role" { 203 name = "test-role" 204 assume_role_policy = <<EOF 205 { 206 "Version": "2012-10-17", 207 "Statement": [ 208 { 209 "Action": "sts:AssumeRole", 210 "Principal": { 211 "Service": "ec2.amazonaws.com" 212 }, 213 "Effect": "Allow", 214 "Sid": "" 215 } 216 ] 217 } 218 EOF 219 } 220 221 resource "aws_iam_role" "role2" { 222 name = "test-role2" 223 assume_role_policy = <<EOF 224 { 225 "Version": "2012-10-17", 226 "Statement": [ 227 { 228 "Action": "sts:AssumeRole", 229 "Principal": { 230 "Service": "ec2.amazonaws.com" 231 }, 232 "Effect": "Allow", 233 "Sid": "" 234 } 235 ] 236 } 237 EOF 238 239 } 240 resource "aws_iam_role" "role3" { 241 name = "test-role3" 242 assume_role_policy = <<EOF 243 { 244 "Version": "2012-10-17", 245 "Statement": [ 246 { 247 "Action": "sts:AssumeRole", 248 "Principal": { 249 "Service": "ec2.amazonaws.com" 250 }, 251 "Effect": "Allow", 252 "Sid": "" 253 } 254 ] 255 } 256 EOF 257 258 } 259 resource "aws_iam_group" "group" { 260 name = "test-group" 261 } 262 resource "aws_iam_group" "group2" { 263 name = "test-group2" 264 } 265 resource "aws_iam_group" "group3" { 266 name = "test-group3" 267 } 268 269 resource "aws_iam_policy" "policy" { 270 name = "test-policy" 271 description = "A test policy" 272 policy = <<EOF 273 { 274 "Version": "2012-10-17", 275 "Statement": [ 276 { 277 "Action": [ 278 "iam:ChangePassword" 279 ], 280 "Resource": "*", 281 "Effect": "Allow" 282 } 283 ] 284 } 285 EOF 286 } 287 288 resource "aws_iam_policy_attachment" "test-attach" { 289 name = "test-attachment" 290 users = [ 291 "${aws_iam_user.user2.name}", 292 "${aws_iam_user.user3.name}" 293 ] 294 roles = [ 295 "${aws_iam_role.role2.name}", 296 "${aws_iam_role.role3.name}" 297 ] 298 groups = [ 299 "${aws_iam_group.group2.name}", 300 "${aws_iam_group.group3.name}" 301 ] 302 policy_arn = "${aws_iam_policy.policy.arn}" 303 }`, u1, u2, u3) 304 } 305 306 func testAccAWSPolicyPaginatedAttachConfig(rInt int) string { 307 return fmt.Sprintf(` 308 resource "aws_iam_user" "user" { 309 count = 101 310 name = "${format("paged-test-user-%d-%%d", count.index + 1)}" 311 } 312 resource "aws_iam_policy" "policy" { 313 name = "tf-acc-test-policy-%d" 314 description = "A test policy" 315 policy = <<EOF 316 { 317 "Version": "2012-10-17", 318 "Statement": [ 319 { 320 "Action": [ 321 "iam:ChangePassword" 322 ], 323 "Resource": "*", 324 "Effect": "Allow" 325 } 326 ] 327 } 328 EOF 329 } 330 resource "aws_iam_policy_attachment" "test-paginated-attach" { 331 name = "test-attachment" 332 users = ["${aws_iam_user.user.*.name}"] 333 policy_arn = "${aws_iam_policy.policy.arn}" 334 }`, rInt, rInt) 335 }